Thanks for acknowledging the problems I found, Alessio. However, my tests reveal that this is not completely correct:
* the actual issue in your configuration for setting up jbossws-native ws-security w/ username token auth is in the fact the jboss-wsse-server.xml descriptor above should not have the <username/> element at all. That element is a client side configuration element for adding the username token header into the message, which is something the client does. The server will automatically check for existence of that header and try performing authentication. This is the reason why there's no "username" element in the "requiresType" in the schema, which is correct.
I have three basic test cases:
1) request has WS-Security header with a valid username/password
2) request has WS-Security header with an invalid username/password
3) request has no WS-Security header.
I expect the follwing results in these cases:
1) request is processed, non-error response
2) request is disallowed ("Invalid User".)
3) request is disallowed ("This service requires <wsse:Security>, which is missing").
However. the above test suite only passes with a file jboss-wsse-server.xml like that in the sample (note that I have commented out the schema stuff so it won't fail vaidation in Eclipse).
<?xml version="1.0" encoding="UTF-8"?>
<jboss-ws-security>
<!-- xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"-->
<config>
<requires>
<username/>
</requires>
</config>
</jboss-ws-security>
With this config (as implied by your comment:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-ws-security>
<!-- xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"-->
<config>
<!-- <requires> -->
<!-- <username/> -->
<!-- </requires> -->
</config>
</jboss-ws-security>
then the first two test cases pass but the third one does not, that is, requests without the W2Security header are allowed. Thus it seems that the <username> element IS required on the server side to perform security checks correctly.