JBossWS allows you to require that requests to a given endpoint use SSL by specifying the transportGuarantee attribute in the @WebContext annotation.

Here is an example using a SLSB endpoint:

@Stateless
@SecurityDomain("JBossWS")
@RolesAllowed("friend")
@WebContext
(
  contextRoot="/my-cxt",
  urlPattern="/*",
  authMethod="BASIC",
  transportGuarantee="CONFIDENTIAL",
  secureWSDLAccess=false
)
public class EndpointEJB implements EndpointInterface
{
  ...
}

Similarly to enforce the same requirement on POJO endpoints, you need to edit web.xml and add a user-data-constraint element to your security-constraint element:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>All resources</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>friend</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <security-role>
    <role-name>friend</role-name>
  </security-role>

If you're manually creating your service contract, make sure that the endpoint address in your WSDL file uses a secure protocol. The easiest way is to add "https://" to the SOAP Address entry:

   <service name="MyService">
    <port name="BasicSecuredPort" binding="tns:MyBinding">
     <soap:address location="https://localhost:8443/my-ctx/SecureEndpoint"/>
    </port>
   </service>

For this to work the Tomcat+SSL connector must be enabled:

   <Connector port="8443" address="${jboss.bind.address}"
        maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
        scheme="https" secure="true" clientAuth="want"
        keystoreFile="${jboss.server.home.dir}/conf/keystores/wsse.keystore" 
        keystorePass="jbossws"
        truststoreFile="${jboss.server.home.dir}/conf/keystores/wsse.keystore" 
        truststorePass="jbossws"
        sslProtocol = "TLS" />

Please refer the Tomcat-5.5 SSL Configuration HOWTO for further details.

      <sysproperty key="javax.net.ssl.keyStore" value="${test.resources.dir}/wsse/wsse.keystore"/>
      <sysproperty key="javax.net.ssl.trustStore" value="${test.resources.dir}/wsse/wsse.truststore"/>
      <sysproperty key="javax.net.ssl.keyStorePassword" value="jbossws"/>
      <sysproperty key="javax.net.ssl.trustStorePassword" value="jbossws"/>
      <sysproperty key="javax.net.ssl.keyStoreType" value="jks"/>
      <sysproperty key="javax.net.ssl.trustStoreType" value="jks"/>

  java.io.IOException: HTTPS hostname wrong:  should be <localhost>
    at sun.net.www.protocol.https.HttpsClient.checkURLSpoofing(HttpsClient.java:493)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:418)

   <sysproperty key="org.jboss.security.ignoreHttpsHost" value="true"/>