WS security really builds on top of existing specifications. There is transport level security( such as SSL ), payload security (such as XML encryption and digital signatures), and security features provided by the platform it self. It is not uncommon to find all of these being used in combination rather than exclusively, to secure a WS.
In the J2EE/Webservices world, since WS endpoint is exposed as a JAX-RPC Servlet or a SLSB, some of the aunthentication mechanisms already provided by the J2EE platform can be extended and applied for WS authentication. A Servlet based end point an use the same methods/procedures as any normal servlet ie., configuring the Web.xml to use appropriate authentication methods. A SLSB end point can use Principal and UserRole to investigate propagated credentials.