We are implementing WS-Security Policy on our web services with the following framework/module/specification.

Apache Axis2 1.6.2
Apache Rampart 1.6.2
WS-Security Policy 1.2(namespace:http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702)

We are facing the following issues while creating/consuming the service.

1. Axis2 wsdl generation logic ignores <sp:NoPassword/> assertion. After debugging,I realized that it is because of the logic in org.apache.ws.secpolicy.model.UsernameToken (rampart-policy-1.6.2.jar) that expects <sp:WssUsernameToken11 /> ( or <sp:WssUsernameToken10 />) to be specified - again when I specify that, the <sp:NoPassword/> is created as child element of <sp:WssUsernameToken11 /> which was causing <sp:NoPassword/> to get ignored on the client (consumer) side.
2. In the implementation of org.apache.rampart.PolicyBasedResultsValidator/handleSupportingTokens method - NoPassword scenario is not considerd ; hence it always fails saying "org.apache.axis2.AxisFault: UsernameToken missing in request".
3. On the consumer side, for WS Security policy 1.2 to work, we had to remove rahas-1.6.2.mar from client side rampart repository;there is a JIRA ticket too - https://issues.apache.org/jira/browse/RAMPART-371

Please suggest if I missed something here.