I implemented WS-Security for Usernametoken authentication for an EJB3 bean. Everything is working fine. But I noticed that when I send the SOAP envelope with just a wsse:security header (without any child elements) , the system allowed to invoke the service (No authentication happened). Is there a bug in there?

Code is same as the post here: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=131719