I admit the questions is stupid, but in the documentation about this issue there is a big confusion, I coudn't understand the principals, when security headers can be added, who can add them, do I need to write my own handler? how to add it? BindingProvider? http security ?? so who talk to whom and whom talks to who?!?!?!
any help is appreciated.
You can use the JBossWS stack as a WSSE-enabled client as well. The concept is similar to the server-side case.
Developer.com has a good article on this topic, entitled Securing Web Services in JBoss Application Server with WS-Security.
The chapter Securing the client using WS-Security (page 3) contains specific information about how you can configure WSSE on the client side.
I hope it helps.