When trying to use Wss4jSecurityInterceptor from the wss4j2 package, validation is still performed when no security is set. This does not happen from the deprecated one in the wss4j package. We use this as a simple simulator and thus we turned security off. It looks like the real issue is that when calling WSSecurityUtil.decodeAction(), when NO_SECURITY is used, it returns an empty list instead of a list with 0 in it and thus:
fails in validateMessage() since the list is really empty.