Adding wss4j to existing app

I have been tasked with adding security to an existing web service running on Axis on Tomcat. Looking around I found wss4j. If you know of something better please let me know.

I need to inject security requirements into an existing application without altering the existing app. We are using https. We need the clients to send the username and password with each request. No state is kept. Everything is asynchronous. Clients could be any platform (Java, .Net, php or whatever).

In my mind I imagine only needing some sort of filter/listener (I think axis is calling these handlers) that will interrupt each request and authenticate each user. If they authenticate they continue. If not, they are rejected. We might have to inject a token into the request representing the user's authentication (used for audit trails). But that is to be used in the app only and not returned to the client.

So my question is this. Will wss4j do that for me?

Also, I am having a difficult time wrapping my head around the arcitecture of both wss4j and how it fits into axis. Do you know of any good document or book out there? The tutorials on Axis' site just don't work and make no sense (granted it could be me): Axis Deployment Tutorial and Axis Deployment Examples

You're on the right track with wss4j. It uses JAX-RPC handlers, which you can tack on to a web service w/o altering the WS code itself. There are a couple of introductory links to information about wss4j in the Web Services FAQ; those might help you get going. Authentication in particular is not hard to do.

As to the overall architecture, wss4j sits on top of Axis. It implements the WS-Security standard, and as such should be accessible by non-Java clients as well. And you can use wss4j on the client side to connect to a non-Java WS server that supports WS-Security.