The policy for ws-security you're using was created to have an example of ws-policy working with something already implemented in the stack and has some issues, most probably one of them being what you describe. As a matter of fact, that policy does not conform to the ws-security policy specification. This said, of course you can create a jira issue for this, perhaps this could be fixed before actually providing a compliant implementation of ws-security policy. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4180934#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...