I've been looking recently at resolving JBWS-2210 .
The issue is to do with the fact that a WS-Security UsernameToken can not be currently used in JBoss CXF to integrate with the JBoss security subsystem for authentication and authorization decisions be made.
I've done some initial changes in CXF and started a discussion on the cxf dev list .
Here is the summary of the proposed approach.
The idea is to override a CXF WSS4JInInterceptor and provide a CallbachHandler to the WSS4J module which will ensure that an authentication occurs but also that a current SecurityContext is properly populated. The CXF interceptor which overrides CXF WSS4JInInterceptor is an abstract one , its job is to ensure that irrespectively of whether a current password is digested or not, the concrete subclass is requested to authenticate and populate a Subject.
CXF also includes an abstract AuthorizingInInterceptor which requests a subclass for a list of expected roles and asks SecurityContext if a user is in role.
Given the above, here's how I'm thinking of resolving JBWS-2210 :
- provide a CXF interceptor (to be included in JBoss CXF) which will extend  and delegate to JBoss AuthenticationManager to populate a Subject
- provide a CXF interceptor (to be included in JBoss CXF) which will extend  and retrieve a list of expected roles;
JBoss CXF WS-Security UsernameToken-aware endpoints will include the above two interceptors if the authentication & authorization is needed.
At the moment I'm working on a system test validating the above approach.
If you have any comments then please let me know