This is for HTTP Authentication, which is different than SOAP Authentication.
Um, yes, so it is not relevant here.
I'll clarify. Injecting "username" and "password" in such a way will not be sufficient for the WS-Security. If the original poster showed the above client-code to convey that that was how he was trying to provide credentials to a web service protected by WS-Security, that will not work because
puts the username and password in the HTTP header, not the SOAP header. If the original poster intended to convey something else by showing the above client-code, I apologize.