Hi, I am using the follow approach based on JBossWS 2.0.1: 1. I didn't change distribution code 2. Copy to my project (EJB where WS is configured): org.jboss.ws.extensions.security.jaxws.WSSecurityHandler org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer org.jboss.ws.extensions.security.WSSecurityDispatcher 3. Merge WSSecurityHandler and WSSecurityHandlerServer in a single source (WSSecurityHandler no more abstract and delete Server) and change invocation to my WSSecurityDispatcher copy. 4. Create my own SecurityStore extending org.jboss.ws.extensions.security.SecurityStore: | public class SecurityStore extends org.jboss.ws.extensions.security.SecurityStore | { | | private KeyStore keyStore; | | private KeyStore trustStore; | | private char[] keyStorePassword; | | public SecurityStore() throws WSSecurityException | { | loadKeyStore(); | | SPIProvider spiProvider = SPIProviderResolver.getInstance().getProvider(); | SecurityAdaptorFactory secAdapterfactory = spiProvider.getSPI(SecurityAdaptorFactory.class); | SecurityAdaptor securityAdaptor = secAdapterfactory.newSecurityAdapter(); | | String username = securityAdaptor.getPrincipal().toString(); | | loadSessionKey(username); | } | | public SecurityStore(Element element) throws WSSecurityException | { | loadKeyStore(); | | Element child = Util.getFirstChildElement(element); | | String username = null; | | while (child != null) | { | String tag = child.getLocalName(); | | if (tag.equals("UsernameToken")) | { | UsernameToken token = new UsernameToken(child); | username = token.getUsername(); | break; | } | | child = Util.getNextSiblingElement(child); | } | | loadSessionKey(username); | } | | // copy of public methods from SecurityStore | | where: * loadKeyStore() load server key/certificate * loadSessionKey(String username); load user certificate (all certificate has the same alias) 4. Change WSSecurityDispatcher to instantiate my SecurityStore copy: * Element parameter Constructor at handleInbound * Default Constructor at handleOutbound 5. use my WSSecurityHandler at standard-jaxws-endpoint-config.xml 6. configure client with username tag at jboss-wsse-client.xml and: | BindingProvider bindingProvider = (BindingProvider) port; | Map<String, Object> reqContext = bindingProvider.getRequestContext(); | reqContext.put(BindingProvider.USERNAME_PROPERTY, (String) USERNAME_HERE); | reqContext.put(BindingProvider.PASSWORD_PROPERTY, ""); | just it! it is working fine to me (user certs are in LDAP acounts accessed with JNDI - InitialDirContext). Any changes to improve security code to implement something like this out-of-box (like pluggable SecurityStore with username information)? for 2.0.2? Thanks, View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4092995#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...