Over on the .NET side, a popular way to deal with WS-Security apparently is to sign the request with the username token. I think I recall reading an example on MSDN doing exactly that. It's a perfectly valid part of the WS-Security standard, btw. However, since no private/public key is involved in the signing, it actually doesn't give you any security! Anybody could intercept the message and re-sign it, and so it doesn't add any value. That's probably the reason we don't see it over on the Java side.
Now the big question to me was, how do I call into such a .NET webservice from Java, knowing that it'll kick me out if I don't sign it? I looked long and hard into the CXF source code, and was about ready to write it myself. But, as it turns out, the solution was quite simple. The WSS4J framework (which CXF calls underneath) already has support for it!
Just take a look at
org.apache.ws.security.handler.WSHandlerConstants. These are the (cryptic) strings that go into the "action" property of the WSS4JOutInterceptor, in your Spring configuration file. And there you go: if you include an action "UsernameTokenSignature", presto! The SOAP request is now (still pointlessly) signed with the username. A quick Spring snippet for reference:
<bean id="wss4jOutInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameTokenSignature Timestamp" />
<entry key="passwordType" value="PasswordDigest" />
<entry key="user" value="MYUSERNAME" />
<entry key="passwordCallbackRef">
<bean class="mypackage.MyPasswordCallback"/>
</entry>
</map>
</constructor-arg>
</bean>
