This is because rampart currently doesn't secure the messages coming through OutFaultFlow and InFaultFlow. Currently axis2 doesn't have a security phase in the OutFaultFlow. Security Phase has to introduced in to <phaseOrder type="OutFaultFlow">. Rampart handlers have to registered in the InFaultFlow and OutFaultFlow.
Proposed Fix :
Service level errors will be secured using the effective policy of the message ( in the OutFaultFlow ) and will be validated for effective policy in the ( in the InFaultFlow ).
Protocol errors ( errors while processing the security header ) will not be secured using the security policy and not validated in the client side.
How security is validated in the InFaultFlow
Fault messages will be checked for security fault codes ( Errors while processing security header should be reported with correct fault codes as defined in the WSS 1.0 sections 6, Error Handling , we currently doesn't report security errors using these fault codes).
If a security fault code is not found in the fault message, it is assumed that it is a service level error and validated for effective service policy.