Wss4J Security question on Username Token

Hi,

I had a doubt on the following scenario.

There is a set of web services hosted on a Microsoft environment (acting as producers). The access to these web services is primarily based on a two step methodology

Step 1: Use Authentication service by sending relevant username, password details which returns a session token if the user is valid
Step 2. To use any other service the WSDL says that we need to send the session token along with user name by using Username Token security .

I am using WSS4j to enable this. While step 1 goes thru pretty well, I am caught with step 2. I am not sure what all to use for this, i.e do I have to resend the password again or only session token alone will do.

Has anyone encountered a similar situation before? Any help will be great!

Thanks

PK

That depends on how you implement it. If you want to client to send username/password again, then set the other services up to require that. If sending the token is sufficient, then don't have them require username/password.