It has been mentioned that I could deploy a client-side handler that adds the SOAP security header. However, am I right in concluding that such a handler has no publicly-defined out-of-band (i.e., apart from the essential functional characteristics of the request, such as endpoint and parameters) communication channel with my client application? My client application has no access to the Axis MessageContext, and so cannot pass information there. It occurs to me that I might be able to pass information in a java.lang.ThreadLocal; (a) is this true, and (b) is this publicly sanctioned?
This issue of the communication channel is critical in my case, because my application needs to attach different username&password pairs to different requests (that are not differentiated by what they are invoking or by parameter values). Thanks, Mike
