My question is: howto enforce the Webservice to only consume Ws-Sec secured SOAP Requests . Currently the Service processes "plain" SOAP Requests too.

the implemenatation is like this:

(1) we got an wsdl which we have to implement, the wsdl is "plain" which means without embedded or Referenced WS Sec Policy .

(2) we generated the model for the wsdl and implemented an Webservice according to that wsdl

(3) the WS Endpoint is annotated with the appropriate WS Policy ( @Policy(placement = Policy.Placement.BINDING_OPERATION, uri = "META-INF/WS-VWP-WSS10-xxxxxx.xml")

having a proper setup of keystores, ws annotations, wss4j property files, jboss-deployment structure.xml , mainfest, keystores etc. we got it to work so that the webservice processes SOAP Requests which conformes to the demanded WS Security Profile definition. But the Service answers to plain SOAP Requests, too - this has to be disabled.

by reading documentations, i found nothing how to achieve this without modifying the wsdl (by embedding the policy or referencing the policy)

Any Ideas ?