Using the standard security policies (such as SAML Sender Vouches or Username Authentication with Symmetric Keys) means that your web service servlet is deployed in a manner that is unprotected by web server authentication. In these cases it is the responsibility of the web service, not the web server, to enforce authentication.

You can also deploy your servlet behind web server authentication. In order to do this, use the webServerAuthenticated security policy when deploying, as documented in:

The tooling automatically updates the protected resource configuration within <Windchill>/apacheConf (provided you are using a project to build and deploy the service). If running, these changes are propagated to your local Apache configuration, which should simply be restarted. If you are using a web server other than Apache, or your Apache is not located on the same host as Windchill, you must propagate these changes manually to your web server configuration.

By default, the JAX-WS handler chain is configured to contain a handler implementation to impose user credentials in outgoing requests for your web service client. These credentials can be supplied programmatically using the setUsername(String user) and setPassword(String password) methods on the com.ptc.jws.client.handler.Credentials class. Alternatively, credentials can be supplied on the wt.webservice.user and wt.webservice.password system properties.

You can also override the handler implementation using the handler.chain.authentication property within your build.xml file. If you implement your own handler, you must set the javax.xml.ws.BindingProvider.USERNAME_PROPERTY and javax.xml.ws.BindingProvider.PASSWORD_PROPERTY properties within the javax.xml.ws.handler.soap.SOAPMessageContext object supplied to your handler implementation.