Currently the WS-Security code using one exception (WSSecurityException) . We should refactor this to more clearly relate to the recommended fault codes by the WS-Security specification. The specification recommends vague and general responses, but this should be up to the handler to limit the message. The exceptions should contain detailed errors so that outer layers of JBossWS can log reasonable errors to disk, and return vague responses to the client.