I've been looking into how jboss does encryption between the client and the service.  I have jboss working using the configuration file jboss-wsse...

encryption works great for the body, however, jboss doesn't encrypt the headers.  Since the SAML token is sent across in a Security header, what are my options for protecting the token?  I saw "EncryptToken" in the picketlink-sts.xml file, does this encrypt the entire token? 

If it works, does it encrypt the entire token?  What do I have to do on the JBoss service side, if anything?

Thanks in advance.