You can run a web service in authenticated or unauthenticated mode. When you want to restrict access to resources based on the identity of a user, the web service must run in authenticated mode. When a web service is run in authenticated mode, the identity of the user is placed on the same thread on which the web service runs.
The WS-Security specification allows more than one token to be passed in the security header of a SOAP message. When a web service is required to run in authenticated mode by using WS-Security, some mechanism is required to tell the WS-Security runtime environment which token to use for the identity. This mechanism is called a caller configuration.
The WS-Security caller configuration is specified in the server.xml file with the <callerToken> element.
<wsSecurityProvider ...>
...
<callerToken name="UsernameToken" />
...
</wsSecurityProvider>
If you configure an X509Token as a caller token, make sure only one client's X509Certificate can be resolved from the security header. For example, ensure that only one client certificate is resolved from the initiator token in an AsymmetricBinding, or that only one client certificate that is resolved from an endorsing token.
If you configure a UsernameToken as a caller token, the security header must contain only one UsernameToken.