ok, if you're expected to use ws-security policy and you notice the username token is missing in the message going on the wire, then this is related to the fact you're not specifying all the required parameters into the message context; again please have a look at https://docs.jboss.org/author/display/JBWS/WS-Security#WS-Security-Client