This posting might be useful for those people trying to implement WS-Security using username toekn authentication. I couldn't find a single document anywhere on the web. I though i will ceate a comrehensive doc. Please let me know if you guys see any flaw here, Steps for implementing WS-Security in JBoss using Username token Authentication I. Server: 1. Create Endpoint for Web Service (Ex: A stateless session bean) Code sample: TestWSEJB.java package test; import javax.ejb.Stateless; import javax.jws.WebService; import javax.jws.WebMethod; import javax.jws.soap.SOAPBinding; import org.jboss.annotation.security.SecurityDomain; import org.jboss.ws.annotation.EndpointConfig; @Stateless @WebService (name="TestWSEJB", targetNamespace = "http://test", serviceName = "TestWSEJBService") @SOAPBinding(style = SOAPBinding.Style.DOCUMENT) @EndpointConfig(configName = "Standard WSSecurity Endpoint") @SecurityDomain("JBossWS") public class TestWSEJB { @WebMethod public String ping (String name) { return "Hello : " + name; } } @EndpointConfig(configName = "Standard WSSecurity Endpoint") This is the configuration in the {JBOSS_HOME}jboss-4.2.1.GA\server\default\deploy\jbossws.sar\META-INF\standard-jaxws-endpoint-config.xml file Portion of standard-jaxws-endpoint-config.xml file: <endpoint-config> <config-name>Standard WSSecurity Endpoint</config-name> <post-handler-chains> <javaee:handler-chain> <javaee:protocol-bindings>##SOAP11_HTTP</javaee:protocol-bindings> <javaee:handler> <javaee:handler-name>WSSecurity Handler</javaee:handler-name> <javaee:handler-class>org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer</javaee:handler-class> </javaee:handler> </javaee:handler-chain> </post-handler-chains> </endpoint-config> @SecurityDomain("JBossWS") This is the configuration for security domain for JBossWS in the {JBOSS_HOME} \jboss-4.2.1.GA\server\default\conf\login-config.xml Portion of standard-jaxws-endpoint-config.xml file: <application-policy name="JBossWS"> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties">props/jbossws-users.properties</module-option> <module-option name="rolesProperties">props/jbossws-roles.properties</module-option> <module-option name="unauthenticatedIdentity">anonymous</module-option> </login-module> </application-policy> 2. jboss-wsse-server.xml. Create jboss-wsse-server.xml and save in META-INF or WEB-INF folder based on the EJB or Web project) Sample file: <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> </jboss-ws-security> 3. Authentication information In the above Security domain (JBossWS) the credentials are in the {JBOSS_HOME} jbossws-user.properties in jboss-4.2.1.GA\server\default\conf\props\jbossws-users.properties. (Default is UsersRolesLoginModule) II. Client: 1. Create the client for Web Service. Sample Code: Test.java: package test; import java.io.File; import java.net.URL; import java.util.Map; import javax.xml.namespace.QName; import javax.xml.ws.BindingProvider; import javax.xml.ws.Service; import javax.xml.ws.WebServiceRef; import org.jboss.ws.core.StubExt; public class Test { public static void main(String[] args) { try { Test client = new Test(); client.doTest(args); } catch(Exception e) { e.printStackTrace(); } } public void doTest(String[] args) { try { URL url = new URL("http://localhost:8080/WS_Security_Test/TestWSEJB?wsdl"); QName qn = new QName("http://test","TestWSEJBService"); Service s = Service.create(url, qn); TestWSEJB port = s.getPort(TestWSEJB.class); URL securityURL = new File("ejbModule/META-INF/jboss-wsse-client.xml").toURL(); ((StubExt)port).setSecurityConfig(securityURL.toExternalForm()); ((StubExt)port).setConfigName("Standard WSSecurity Client"); ((BindingProvider)port).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "kermit");; ((BindingProvider)port).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "thefrog");; System.out.println("Invoking the sayHello operation on the port."); String response = port.ping("Pramod") ; System.out.println(response); } catch(Exception e) { e.printStackTrace(); } } } ((StubExt)port).setConfigName("Standard WSSecurity Client"); This is the configuration in the {JBOSS_HOME}jboss-4.2.1.GA\server\default\deploy\jbossws.sar\META-INF\ standard-jaxws-client-config.xml file Portion of standard-jaxws-client-config.xml: <client-config> <config-name>Standard WSSecurity Client</config-name> <post-handler-chains> <javaee:handler-chain> <javaee:protocol-bindings>##SOAP11_HTTP</javaee:protocol-bindings> <javaee:handler> <javaee:handler-name>WSSecurityHandlerOutbound</javaee:handler-name> <javaee:handler-class>org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerClient</javaee:handler-class> </javaee:handler> </javaee:handler-chain> </post-handler-chains> </client-config> TestWSEJB.java: package test; import javax.jws.WebMethod; import javax.jws.WebParam; import javax.jws.WebResult; import javax.jws.WebService; import javax.xml.ws.RequestWrapper; import javax.xml.ws.ResponseWrapper; /** * This class was generated by the JAX-WS RI. * JAX-WS RI 2.1.1-b03- * Generated source version: 2.0 * */ @WebService(name = "TestWSEJB", targetNamespace = "http://test") public interface TestWSEJB { /** * * @param arg0 * @return * returns java.lang.String */ @WebMethod @WebResult(targetNamespace = "") @RequestWrapper(localName = "ping", targetNamespace = "http://test", className = "test.Ping") @ResponseWrapper(localName = "pingResponse", targetNamespace = "http://test", className = "test.PingResponse") public String ping( @WebParam(name = "arg0", targetNamespace = "") String arg0); } 2. jboss-wsse-client.xml. Create jboss-wsse-client.xml and save in META-INF or WEB-INF folder based on the EJB or Web project – based on the client) Sample file: <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> </jboss-ws-security> III. Tools Used: JBoss Application Server  www.jboss.org Eclipse IDE  www.eclipse.org SoapUI for testing Web Services  www.soapui.org Ws-Consume  Jboss tool (I jboss bin folder) WireShark (TCP-IP monitoring tool)  http://www.wireshark.org Output from Wireshark (any other TCPIP monitoring tools can be used) -> This is the SOAP-Envelope that actually goes from the client to the server. <env:Envelope xmlns:env='http://schemas.xmlsoap.org/soap/envelope/'> <env:Header> <wsse:Security env:mustUnderstand='1' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w... xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws... <wsse:UsernameToken wsu:Id='token-1-1205175076833-11112467'> <wsse:Username>admin</wsse:Username> <wsse:Password>admin</wsse:Password> </wsse:UsernameToken> </wsse:Security> </env:Header> <env:Body> <ns2:ping xmlns:ns2="http://test"> <arg0>Pramod</arg0> </ns2:ping> </env:Body> </env:Envelope> View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4136079#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...