A number of minor changes are required to how error handling is implemented for WS-Security in CXF. The SOAP Message security 1.1 specification (chapter 12 "Error Handling") details standard fault strings and fault codes to be returned to the user in the event of an error, something we don't always adhere to in the WSS4JInInterceptor.
In particular, the WSS4JInInterceptor must be modified to catch "WSSecurityException"s thrown by WSS4J, and populate and throw a SoapFault object accordingly. In addition, the content of the SoapFault changes depending on whether SOAP 1.1 or 2.0 is used.
Please review and apply the attached patch for this.