I've written a simple Hello World JAX-WS webservice. Now, I want to secure this service, so that only specific users (with username and password) can access this webserivce. My understandig is that the Username Token Profile is here the right utility to implement this.
Until now, I've used Eclipse to build the service and I've use a bottom-up approach, so that I've just write my Java classes and annotated them. The wsdl-file is generated when I deploy my service to my server. I've searched for annotations - or something like this - which gives me the possibility to add the security features to my Java classes, but I've don't find anything.
It seams to me, that the bottom-up approach can't solve this problem, and that I've to deal directly now with the WSDL-file. Is this correct, or am I on the wrong side of the street ?
No, you really shouldn't be using Basic Authentication; WS-Security (with a Username Token) is the way to go.
Unfortunately, WS-Security isn't integrated with JAX-WS, so there aren't any annotations you can use to configure it. But if you're using the Metro stack, then you have everything you need to add WS-Security to JAX-WS; check its documentation for examples.