The decode method from org.apache.wss4j.dom.util.WSSecurityUtil doesn't appear to do the right thing when sending NoSecurity.
There seems to be an assumption that if someone will add NoSecurity it will always be in the first position.
But if we're sending for instance "UsernameToken NoSecurity Signature" we're getting back [ 1 ].
If we want NoSecurity to override all other actions, we should probably return 
should probably be replaced with