If you need the principal without authentication, you can either set no security domain for your endpoint or provide a custom security domain that does not authenticate with something like this in the login-config.xml: | <application-policy name = "no-auth"> | <authentication> | <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> | </login-module> | </authentication> | </application-policy> | Then configure jbossws to use ws-security with the username token profile and get the principal in your endpoint implementation. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4152776#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...