He told me his WS dosen't use the Jboss WS Native. But after I've deleted all the Jboss WS Native components such as the jbossws-native-xxx.jar, the ../deploy/jbossws.sar and ../deployer/jbossws.deployer, the WS doesn't work. And I got "java.lang.ClassNotFoundException: org.jboss.ws.core.jaxws.spi.ProviderImpl"
I wonder how to determine if a WS uses Jboss WS Native or not.
If the application server version you're using has the jbossws-native stack installed, any webservices app you deploy on the application server is using jbossws-native, unless you properly isolate the application and provides different webservices libraries in the deployment, so that the app can still work (but this is neither easy to do nor supported).
As Jim mentioned, the security issue has been dealt with, make sure you're using the latest available EAP product version. Also consider switching to the JBossWS-CXF stack / EAP version.