It seems that we use the standard jaxrpc/jaxws properties as WSSE username token | if (opConfig.getUsername() != null) | { | Object user = ctx.get(Stub.USERNAME_PROPERTY); | Object pass = ctx.get(Stub.PASSWORD_PROPERTY); | | if (user == null && pass == null) | { | user = ctx.get(BindingProvider.USERNAME_PROPERTY); | pass = ctx.get(BindingProvider.PASSWORD_PROPERTY); | } | | if (user != null && pass != null) | { | operations.add(new OperationDescription<EncodingOperation>(SendUsernameOperation.class, null, user.toString(), pass.toString(), null)); | ctx.put(StubExt.PROPERTY_AUTH_TYPE, StubExt.PROPERTY_AUTH_TYPE_WSSE); | } | } | The side effect is that the wsse username token will always be sent via BASIC auth. Is this by design? I thought the wsse username token is independent of transport security. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4092905#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...