I think the ws-security policy is not enabled by default when spring is not available because even with policy on, there's still need for further ws-security configurations to be provided and the ws-security configuration in CXF is basically based on Spring.

However, if your tests/app show that it's indeed possible to have at least basic ws-security support even without spring, we'd for sure consider adding this option. You can then create a jira (and perhaps provide a testcase to be run with / verify the patched code ;-) )

Thanks

Was there a jira created for this issue?

I ran in to this issue on JBoss6 when consuming a service where the WSDL simply had a security policy that enforced https transport (so no configuration should be needed) - but this failed as WS-SecurityPolicy interceptors were not added.

cheers,

asgeir

Just a followup on this; see https://issues.jboss.org/browse/JBWS-3284 and some explanations at http://jbossws.blogspot.com/2011/05/jbossws-400beta1-is-out.html