I finally managed to get the username token profile stuff working. It ends up in the endpoint. But for Servlet Based Endpoints (perhaps also for ejb based endpoints) it seems that noting happens with the username and password. I had expected the JAAS Module associated with the webapp to be called but it is not. So the Principal is also not created. I am overlooking something? Even if only using the username token profile option of WS-Security (no message encryption or signing) still a Jboss-wsse-server.xml is needed. The current handelInbound method of WSSecurityDispatcher does not take the username into account it seems. It would be a good idea to user / develop a suitable CallBackHandler / LoginModule to create the principle. Is any work done on this? Thnx Karl View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3973559#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...