We have to transfer binary data using web service stack and in the process we have to sign web service requests/responses.
The main question is: what is the prefered way to do this?
Should we use MTOM and WS-Security? From ISSUE CXF-1904 I have concluded that there are issues when one uses MTOM and WS-Security. CXF and axis2 use WSS4J and it seems that WSS4J does not work well with digitally signed messages when you use MTOM.
What about other web service stacks?
From http://ws.apache.org/wss4j/attachments.html :
WSS4J 2.0.0 introduces support for signing and encrypting SOAP message attachments, via the the SOAP with Attachments (SWA) Profile 1.1 specification. There is no support in WSS4J 1.6.x for signing or encrypting message attachments. Attachments can be signed and encrypted in WSS4J via either the "action"-based approach or via WS-SecurityPolicy, as covered in the sections below.