I have never used it directly(ws-security) however jboss seems to be supporting most of the oasis standards. I guess that after configuration of ws-security(authentication, authorization, token etc. - in jboss there are special files for that, both on server and client side) client is just passing user credentials in the beggining, after that security is handled by the server/client(it fills soap message with right header parts).