The JBossWS-CXF WebServiceContextFactory implementation returns an instance of org.jboss.ws.common.invocation.WebServiceContextAdapter wrapping the Apache CXF WebServiceContextImpl. That overrides the getUserPrincipal() and isUserInRole(String role) method, retrieving the information from the HttpServletRequest.
While that's usually, fine, when running WS-Security apps, Apache CXF can get the principal through WSS4J / UsernameToken authentication; the WebServiceContextImpl has proper logic for checking that as well as the data coming from HttpServletRequest when the HTTPDestination is in use.
So we need to use a WebServiceContextDelegate wrapper instead of the WebServiceContextAdapter, to avoid overriding the 2 methods above.