One note on the server side implementation of the WS: It is not an SLSB. I've used wsconsume and generated java files based on an existing WSDL file. I think that the execution ends up in the org.jboss.ws.extensions.security.ReceiveUsernameOperation class where the following lines are called: securityAdaptor.setPrincipal(new SimplePrincipal(user.getUsername())); | securityAdaptor.setCredential(user.getPassword()); Also, printing the Principal class gives: System.out.println("Getting principal class from SecurityAssociation: " + org.jboss.security.SecurityAssociation.getPrincipal().getClass().getName()); | -- | 2008-01-15 14:49:57,734 INFO [STDOUT] Getting principal class from SecurityAssociation: org.jboss.ws.extensions.security.SimplePrincipal So... I've probably done something bad causing the application not to be registered with the JBossWS security domain or ? I do have <security-domain>java:/jaas/JBossWS</security-domain> in my jboss-web.xml I also have a jboss-wsse-server.xml file with the following contents: <?xml version="1.0" encoding="UTF-8"?> | <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" | xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> | </jboss-ws-security> I've tried adding: <config> | <username/> | </config> But that did not make it better... What am I doing wrong? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4120107#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...