Usernametoken support is currently broken as it requires a username and password to be present in the wss security header. According to the WSS specifications (both 1.0 and 1.1*) these are optional elements in wsse:UsernameToken. If either one of these elements are missing, then JBossWS incorrectly throws a WSSecurityException.

See http://anonsvn.jboss.org/repos/jbossws/stack/native/trunk/modules/core/src/main/java/org/jboss/ws/extensions/security/element/UsernameToken.java lines 78 and 84 for where it should not be throwing this error.

*
1.1 spec http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os-UsernameTokenProfile.pdf
1.0 spec http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf