It seems that we use the standard jaxrpc/jaxws properties as WSSE username token
if (opConfig.getUsername() != null) { Object user = ctx.get(Stub.USERNAME_PROPERTY); Object pass = ctx.get(Stub.PASSWORD_PROPERTY); if (user == null && pass == null) { user = ctx.get(BindingProvider.USERNAME_PROPERTY); pass = ctx.get(BindingProvider.PASSWORD_PROPERTY); } if (user != null && pass != null) { operations.add(new OperationDescription<EncodingOperation>(SendUsernameOperation.class, null, user.toString(), pass.toString(), null)); ctx.put(StubExt.PROPERTY_AUTH_TYPE, StubExt.PROPERTY_AUTH_TYPE_WSSE); } }
Thats a bug then, it should not be sent. IIRC the way I had originally written it, the SOAP Call implementation dropped any auth type it did not understand, which is why i introduced AUTH_TYPE_WSSE.