XMLSec has dependencies on the Xalan jar. The instance we've run into is: XMLCipher depends on org.apache.xml.utils.URI. The release notes for 1.3 said it wasn't necessary to put xalan on the classpath and the pom file indicates it's a "provided" dependency, which I take to mean the XSLT implementation provided by Java 5+ is good enough.
This will be fixed in a new major release (1.5) next year, as part of the move to use JDK 1.5. Colm.