Currently we require the client to call the apache xml security initialization routine. This may not seem like a big deal since jbossws itself is the client, but it should still be properly encapsulated, as the underlying implementation may change.