Minor Description
The StaxActionInInterceptor class uses NO_SECURITY and OPERATION Security events.
These are passed in the soap message under a SecurityEvent.class.getName() + ".in" key
The events are stored there in the WSS4JStaxInInterceptor. Only the events used are actually filtered out!
I assume this is a bug, or a badly documented feature 
The reason I'm looking at this, is I wanted to use the same events in my own interceptor, but they never appeared. I think I might override the WSS4JStaxInInterceptor for now to do that.