Thanks for the quick reply. It looks like that page is exactly the same as the Wiki page that I referenced. What isn't clear is how to secure a JSE (POJO-based service endpoint) versus an EJB-based SE. That page tells how to apply a security policy to an EJB, which I do not have. My setup is described in this Wiki page:
Perhaps there is something I can add to the webservices.xml file?
JSE service endpoints are secured like ordinary webapps. All your security config goes into web.xml