Incorrect value for ws-security.ut.validator -------------------------------------------- Key: JBWS-3812 URL: https://issues.jboss.org/browse/JBWS-3812 Project: JBoss Web Services Issue Type: Bug Components: jbossws-cxf Affects Versions: jbossws-cxf-4.2.4 Reporter: John Ament Assignee: Alessio Soldano Fix For: jbossws-cxf-5.0 I found a forum post indicating that this value should work, in my hunt to make security work in WildFly. https://community.jboss.org/thread/229071 When you set the parameter ws-security.ut.validator in jaxws-endpoint-config.xml, the value that gets set is in fact the string value, e.g. com.mycompany.cxf.validators.MySpecialValidator CXF is expecting that this is an instantiated instance of the class, not a classname. It results in a ClassCastException. You can see here for reference: http://cxf.apache.org/docs/ws-securitypolicy.html look under Validator implementations. To work around this, you can register a custom InInterceptor and set the value in the message context. It's not ideal, but you could read the value from jaxws-endpoint-config.xml and instantiate that class, passing it back to the message context.