OK, I need to try this but it's most probably an issue related to the AS7 classloading isolation. Which module/jar is rjb.ws4.security.client.ClientCallbackHandler class in? is it in the same jar that has the client code shown above?
This client code is in a Servlet class in a WAR. The rjb.ws4.security.client.ClientCallbackHandler class is in the same WAR in a different package. Yeah, I have a feeling this is due to the AS7 classloading as it seems like its a dependency CXF/WSS4J would have on my WAR with the callback.
All the examples I have seen in JBossWS don't get into WS-Secuiry Username (X509 stuff mostly) and I dug this one up from the CXF documentation here
under the heading Username Token Authentication.
ok, I see the problem, thanks. We did not face this yet probably because the username token tests that are part of the jbossws testsuite run with the client out of container.
We need to figure out the best way to solve this, as the callback classloading is performed by Apache CXF which is not aware of (and is not supposed to consider) the AS7 modular classloading. I'll have a look at this and fix once I'm back from vacation (unless a colleague of mine or someone else from the community fix it in the mean time).
I've done some testing that proved I was actually wrong, iow I can't reproduce your issue. I've created a modified version of our ws-security username token profile testcase  having the client invoked by a servlet which is shipped inside a war archive also containing the client username callback. The client is successfully using the callback handler. Btw, I've checked the wss4j code and noticed that the callback class is loaded using the thread context classloader, which is fine here (for a war deployment, the class contents of the war should always be visible in the TCCL). Can you check you're not perhaps modifying the tccl before the relevant ws-security client code is executed?
In any case you can have a look at the org.jboss.test.ws.jaxws.samples.wsse.UsernameServletTestCase I've added, the archives that are built, etc.
The test is passing against current AS 7 master.
I upgraded to JBossAS 7.0.1.Final and I can't seem to reproduce this error on my end either. Hmm, very strange but I appear to be able to use the WS-Security Username code as intended. Thanks for you time in looking into this.