Now, I managed to avoid it by registering a Handler (extending org.apache.axis2.handlers.AbstractHandler) in the Security phase (axis2.xml). In this handler I simply mark the header as processed. After doing this, the response is the expected
one: “authentication failed”.
However, I feel like this job is not a fix but is a way to avoid the real problem. Doesn’t Rampart handle this kind of issue ? Is there something I can do to have a REAL fix for this ?