Welcome to JavaRanch.
The username/password thing is for HTTP authentication; what you're looking for is proper WS-Security authentication.
The security info doesn't need to be in the WSDL. It can be kind of bolted onto a WS.
The problem is that there is no standard for adding WS-Security to JAX-WS (or to any other WS API for that matter). That means each WS stack does its own things.
If you were using Axis2/Rampart, I'd point you to
an article I wrote about this very topic.
If you're using the Metro stack, the closest to documentation I've seen is
this article. Don't worry if you're not using
Java 6 - in this context that just means J2SE + JAX-WS + JAXB (which are part of Metro, or can be downloaded separately).
All other tutorials assume you're using NetBeans (and GlassFish). It almost seems as if everybody working for Sun, or wanting to blog on dev.java.net, must agree to push NetBeans as hard as possible. I'm convinced that this hinders the adoption of several Java technologies and APIs, but that's a different topic.
[ August 09, 2008: Message edited by: Ulf Dittmer ]