anonymous wrote : I don't know yet what the best layer is to plug in the ws security. Well, for the protocol it's the username token profile. The current JBossWS implementation delegates to JAAS as well. So we may just delegate to the jbpm security domain for WS authentication. That would be: WS -> WSSE -> JAAS -> JBPM (WSSE is webservice security) View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4126069#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...