Would it be possible to have the property field of org.apache.ws.security.crypto.merlin.keystore.password encrypted similarly to the passwordCallbackClass so the password is not hardcoded and visible in the services.xml?
Hi. I don't have experience with Rampart per se, but this type of thing is usually done by specifying a callback class, e.g. class PWCallback extends javax.security.auth.callback.CallbackHandler. A few links: