My goal is to have an automatic periodic process remotely access a web-service hosted by JBoss and have it secured with WS-Trust using PicketLink/Box.

The remote process is Java code that gets to run once every so often through a timer.

The web-service is a POJO or stateless session bean.

None of this involves any browser based web access. The log in credentials come from a database and have to be fed in by Java code.

Without security, everything works.

I've tried to get an understanding using all the available information, and it took quite a while to start to get a grip on it.

This document seems most relevant to my case: https://community.jboss.org/wiki/SAMLWSIntegrationWithPicketLinkSTS

Obviously things on AS7 is a little different, but I've managed to get a web-based test app working, which (I think) is proof that picketlink is operational.

The Java code successfully logs in using WSTrustClient and SecurityInfo. issueToken() returns an assertion. No exceptions are raised.

But then I get stuck. The web.xml has a security-constraint, because otherwise the web-service seems freely accessible no matter what.

The example code in the article (linked to above), shows that you get the assertion, then create the client service connection, and then supply that assertion to it.

But there is the problem. The client service connection (new Service()) throws an exception, because it wants to see the wsdl file and ends up getting redirected to the sts. Its web interface redirects to an html log in page.

The web-services client part tries to parse that as xml and fails.

Should I remove the security constraint in web.xml? Does the valve in jboss-web.xml provide the security? Without the security constraint in web.xml, there appears to be no security at all, and all the methods are freely invokable.