Currently any deployment type looks for a jboss-ws-security.xml file in the corresponding meta data directory. The problem with this is that it is potentially possible to deploy a Servlet ws client and a JSE that both use ws-security in the same archive. In this scenario we would have the client and the server sharing the same configuration which is not a good idea. Lets break these up. This also fixes a secondary bug where Servlet clients look for the descriptor in the wrong place.