From what I can tell jbossws has concurrency issues in building the request handler chain when more than one handler is specified, and multiple requests are made to the server while it is starting. The problem is that too many copies of the handlers are inserted into the handler chain because more than one thread is building it. This only becomes apparent when one of the handlers is for WS Security. During request handling, the first WS Security handler removes the wsse header, so any subsequent handler throws an exception. The client receives the fault string "This service requires <wsse:Security>, which is missing". The server stack trace:

javax.xml.ws.WebServiceException: org.jboss.ws.core.CommonSOAPFaultException: This service requires <wsse:Security>, which is missing.
at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.processHandlerFailure(HandlerChainExecutor.java:276)
at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:155)
at org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS.callRequestHandlerChain(HandlerDelegateJAXWS.java:87)
at org.jboss.ws.core.server.ServiceEndpointInvoker.callRequestHandlerChain(ServiceEndpointInvoker.java:126)
at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:170)
at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:408)
at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:272)
at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:189)
at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:122)
at org.jboss.wsf.stack.jbws.EndpointServlet.service(EndpointServlet.java:84)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)

Steps to duplicate

• Create web service that exposes a ping() method, and requires both WS Security and WS Addressing. A customized standard-jaxws-endpoint-config.xml file is required.
• Create a client application that calls ping() every second in a loop
• Start the server
• Once the server initializes, start 2 instances of the client
• Restart the server
• Most of the time the error will start to occur for every request. You may have to restart the server a few time to get the error condition. Sometimes the server is able to initialize successfully. If it is successful, it will stay that way. Even having many clients pounding on the server for hours will not cause the error.
• Once the error condition begins, the server is unable to properly process any more ping requests, even if both clients are stopped, and only one is restarted.

standard-jaxws-endpoint-config.xml addition:
<endpoint-config>
<config-name>WSAddressing + WSSecurity Endpoint</config-name>
<post-handler-chains>
<javaee:handler-chain>
<javaee:protocol-bindings>##SOAP11_HTTP</javaee:protocol-bindings>
<javaee:handler>
<javaee:handler-name>WSAddressing Handler</javaee:handler-name>
<javaee:handler-class>org.jboss.ws.extensions.addressing.jaxws.WSAddressingServerHandler</javaee:handler-class>
</javaee:handler>
<javaee:handler>
<javaee:handler-name>WSSecurity Handler</javaee:handler-name>
<javaee:handler-class>org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer</javaee:handler-class>
</javaee:handler>
</javaee:handler-chain>
</post-handler-chains>
</endpoint-config>

I have attached sample server and client code that you can use to demonstrate the bug.

I was able to prevent the error from occurring with a slight modification to callRequestHandlerChain() in org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS. I changed:

if (isInitialized() == false)
{
resolver.initHandlerChain(sepMetaData, HandlerType.PRE, true);
resolver.initHandlerChain(sepMetaData, HandlerType.ENDPOINT, true);
resolver.initHandlerChain(sepMetaData, HandlerType.POST, true);
setInitialized(true);
}

to

if (isInitialized() == false)
{
synchronized(this)
{
if (isInitialized() == false)

{ resolver.initHandlerChain(sepMetaData, HandlerType.PRE, true); resolver.initHandlerChain(sepMetaData, HandlerType.ENDPOINT, true); resolver.initHandlerChain(sepMetaData, HandlerType.POST, true); setInitialized(true); }

}
}