I have succesfully setup a webservice to use BASIC auth: @PortComponent(authMethod = "BASIC") And I have sucessfully setup a webservice to use UsernameToken: <config> | <username/> | </config> But I can not get both to work together. Does this same like a reasonable requirement? It is a little redundant, but it looks like the only way to get complete security. Because just using UsernameToken doesn't look like it invokes a JAAS login module on the server side. It just sets up the SecurityAssociation. I'll create an issue in jira if anyone thinks this is a bug. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3987662#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...