The code is correct. What is missing is the proper configuration of karaf.
By issuing a
features:list | grep cxf-ws-security
you can check if the feature is installed. To install it, just type
I found the solution in the README.md of the cxf/secure-soap fuse quickstart. The whole fuse cxf security guide doesn't mention it!
Also, it's quite weird that a protected service works unprotected when its protection library is missing, with no messages in the log whatsoever.