When exposing a webservice using the "@WebServiceProvider" annotation, and protecting it with WSSE username token the WebServiceContext#userPrincipal is not set.

The WEB-INF/jboss-wsse-server.xml is configured as described here:
http://www.jboss.org/community/wiki/JBossWS-WS-Securityoptions#POJO_Endpoint__Authentication_and_Authorization

Although this does not really seem to be enough, as it is also required to have META-INF/standard-jaxws-endpoint-config.xml file with only the "Standard WSSecurity Endpoint" on the server to actually enforce the authentication of the username token.

Attached:

• wstest.war: example war - exposing one webservice (compiled from the content of server.zip)
• server.zip: source for the wstest.war
• client.zip: simple client for the server, sending a username token.

Reproducing the problem:
1) deploy wstest.war to a jboss 5.1.0
2) open the run.sh in the client.zip, and set the JBOSS_5 to fit your installation. It the server is not listening on 8080, modify the url in the client source (WsExampleClient.java).
3) compile and run the client, by running ./run.sh
4) inspect the server log. If this says: "[INFO] Principal = null" we have the problem (expected principal = admin)

Server code:

• service: server.zip:src/main/java/org/example/WsExample.java
• wsdl: server.zip:src/main/webapp/WEB-INF/wsdl
• wsse-config: server.zip:src/main/webapp/WEB-INF/jboss-wsse-server.xml
• wsse-config2: server.zip:src/main/webapp/META-INF/standard-jaxws-endpoint-config.xml

It seems that "wsse-config2" is required. If this is not present, it is possible for the client to send any client credentials it want (or leave them out) and it will still get admission to the service.

Other areas where this has been discussed:

• http://www.jboss.org/index.html?module=bb&op=viewtopic&t=127582&postdays=0&postorder=asc&start=20
• http://www.jboss.org/community/wiki/jbosssecuritytokenservice#comment-2075 (in relation to the same problem in the JBoss STS)

Should be assigned to Darran Lofthouse.