Consider the abbhreviated policy below. It defines x509 tokens for the initiator and recipient: the initiator's token must be included in all messages from the initiator to the recepient, and the recipient's token must not be included at all.
When Rampart is used as both the client and server for a web service using this policy, the client's certificate is correctly included as a binary security token in the request. However, the response message from the server to the client also includes this as a binary security token when reference which token was used to encrypt the encrypted symmetric key. This is incorrect as the token was marked as only to be included in messages from the initiator to the recipient.
The problem is that the asymmetric security binding uses RampartUtil.setKeyIdentifierType() to determine what type of key references should be used. As present it will always include a binary security token unless the token inclusion parameter is set to never - i.e. it does not take into account whether we are the initiator or not, and so doesn't handle the alwaysToInitiator and alwaysToRecipient inclusion modes.