JAX-WS: security header not included in SOAP request

After migrating from JDK6/Weblogic 11 to JDK8/Weblogic 12 our web services stopped working. After the first deploy we got following error

SEVERE: MASM0001: Default configuration file [ metro-default.xml ] was not found

Web services were implemented using following application library dependency instead of Weblogic implementation

    <dependency>
        <groupId>com.sun.xml.ws</groupId>
        <artifactId>jaxws-tools</artifactId>
        <version>2.1.7</version>
        <exclusions>
            <exclusion>
                <groupId>com.sun.xml.messaging.saaj</groupId>
                <artifactId>saaj-impl</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

After replacing that dependency with following

    <dependency>
        <groupId>com.sun.xml.ws</groupId>
        <artifactId>jaxws-rt</artifactId>
        <version>2.2.10</version>
        <scope>pom</scope>
        <exclusions>
            <exclusion>
                <groupId>com.sun.xml.messaging.saaj</groupId>
                <artifactId>saaj-impl</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

and by including these entries in WAR package’s weblogic.xml descriptor

        <wls:prefer-application-resources>
            <wls:resource-name>META-INF/services/javax.xml.ws.*</wls:resource-name> 
            <wls:resource-name>META-INF/services/com.sun.xml.ws.*</wls:resource-name> 
            <wls:resource-name>META-INF/services/com.sun.tools.ws.*</wls:resource-name>
        </wls:prefer-application-resources>

I get rid of the [ metro-default.xml ] was not found exception, but instead get this. It means my client doesn’t include the security header on the request at all, thus authentication fails at the server.

com.sun.xml.ws.fault.ServerSOAPFaultException: Client received SOAP Fault from server: Error on verifying message against security policy Error code:1000 Please see the server log to find more detail regarding exact cause of the failure.

Here is the policy definition of the WSDL

<wsp:UsingPolicy wssutil:Required="true"/>
  <wsp:Policy wssutil:Id="usernametoken">
    <ns1:SupportingTokens xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512">
      <wsp:Policy>
        <ns1:UsernameToken ns1:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient">
          <wsp:Policy>
            <ns1:WssUsernameToken10/>
          </wsp:Policy>
        </ns1:UsernameToken>
      </wsp:Policy>
    </ns1:SupportingTokens>
  </wsp:Policy>

And here is what we do to configure and retrieve the client. This used to work without any issues after migrating to Weblogic 12 and changing the JAX-WS implementation.

    public SessionFacadeBean getSessionFacadeBean() {
        QName qname = new QName("http://foobar",
                "foobarWS");
        SessionFacadeBeanWS service
            = new SessionFacadeBeanWS (WSDL_LOCATION, qname);
        SessionFacadeBean bean = 
                service.getSessionFacadeBeanPort();
        // Setting security policy

        List<CredentialProvider> credProviders = new ArrayList<CredentialProvider>();
        credProviders.add(new ClientUNTCredentialProvider(USERNAME
                .getBytes(), password.getBytes()));

        Map<String, Object> rc = ((BindingProvider) bean).getRequestContext();
        rc.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
                wsdlLocation);
        rc.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);

        return bean;
    }

Why the new JAX-WS implementation doesn’t respect this configuration?