Hi! Thank you for the answer. I have more questions though: You are saying that: "The Username token sent in the SOAP Message is the one used by the endpoint server/stack to authenticate the user who is performing this request." Good, this is what I want, I want the user to be authenticated based on the UsernameToken. However,I do not want to secure the servlet as such on http level. I do not want to use http basic authentication in addition to the UsernameToken. As you can see in my previous posts I've been trying to set this up without successes. As soon as I remove the HTTP basic auth authentication I can no lnger retrieve the principal information using the standard API. I can see that the WSEE data is parsed because I can get the principal info using: org.jboss.security.SecurityAssociation.getPrincipal() but no authentication seems to take place. Do you have any examples of UsernameToken without http basic auth where the user is athenticated based on the UsernameToken data? The example under /src/test/java/org/jboss/test/ws/jaxws/samples/wssecurity will be using http basic auth since it is default. Will this example work if http basic auth is removed ??? There implementation of the server is simply doing Principal principal = wsCtx.getUserPrincipal(); | log.info("getUsernameToken: " + principal); | return principal.toString(); | But will this really work if http basic auth is not enabled? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4120370#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...