"darran.lofthouse(a)jboss.com" wrote : I am thinking about having a look at this issue and just wanted to bring up some ideas here. The reason I am looking at this is because although there is a solution based on using EJB endpoints there is still a consistent demand for this capability for POJO endpoints. | | We currently have the following unscheduled issue: - | | http://jira.jboss.org/jira/browse/JBWS-1999 I Darran, interesting there's a consistent demand for these ws-security related features. That issue is assigned to me but you're welcome to reassing and work at it. anonymous wrote : I have seen the contributed code but this does not integrate with our current WS-Security handlers so I am proposing a more integrated solution. I think the idea of forcing the authentication calling the WSSecurityManager's .authenticate(...) method is good, that's imho the missing piece for pojo endpoints, since with ejb3 endpoints the ejb3 layer takes care of requesting the authentication. Of course I agree with you we can't have this called from other handlers; I didn't spend a lot of time looking at this, but I guess the current ReceiveUsernameOperation could be a nice place to do this. anonymous wrote : My idea would be to re-open the following issue to allow the UsernameToken to be set as a requirement on the incoming message: - | | http://jira.jboss.org/jira/browse/JBWS-1136 Generally speaking, I agree with you the should be a way to say "ok, the username token is required". anonymous wrote : The configuration should have an attribute 'authenicate=true', if set we can make use of the programatic web authentication available from JBoss 4.2.0.GA: - | | http://wiki.jboss.org/wiki/WebAuthentication | | In addition to this the configuration could then contain a set of the allowed roles to call the endpoint and if this is set after the authentication we could use isCallerInRole to verify if the user is in the allowed role. | | The use of the WebAuthentication above does mean that we can mainly use the standard servlet APIs after the authentication and this change would be achieved with a small amount of additional configuration, as we have authenticated then this will still be propagated to the calls to any subsequent EJBs. | I think it would be better to leave the configuration of the allowed roles to the login module configuration. May be I'm missing something, but I think we could simply let the user configure the security domain as usual and then the login module(s) configured for that security domain will have the roles configuration. Btw doing this you'll also get the digest/nonce feature of the UsernameToken Profile for free (see the test for JBWS-1988) also for pojo endpoints. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4147109#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...