I have been able to get this working by specifying a specific port in the Address element. Here is what the policy file looks like now:
<?xml version="1.0" encoding="UTF-8" ?> <attachments xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:wsa="http://www.w3.org/2005/08/addressing"; xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:PolicyAttachment> <wsp:AppliesTo> <wsa:EndpointReference> <wsa:Address>/AuthenticationService</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wsp:Policy> <sp:TransportBinding> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="true"> <wsp:Policy/> </sp:HttpsToken> </wsp:Policy> </sp:TransportToken> </wsp:Policy> </sp:TransportBinding> </wsp:Policy> </wsp:PolicyAttachment> </attachments> The deficiency in the class EndpointReferenceDomainExpression is still a problem though. The ws addressing schema ( http://www.w3.org/2006/03/addressing/ws-addr.xsd) indicates that xs:anyURI is a valid value for the Address element. Since CXF isn't honoring this value, it seems this is a bug.
