This week's book giveaway is in the OCMJEA forum. We're giving away four copies of OCM Java EE 6 Enterprise Architect Exam Guide and have Paul Allen & Joseph Bambara on-line! See this thread for details.
The standard way to add security to SOAP calls is to use WS-Security, which all major SOAP stacks supports. Trying to roll your own is like reinventing the wheel, only that you will likely end up with an insecure system.
In one of your previous questions I pointed you to a SAAJ client; that contains code to set SOAP headers, if you still think this is a good ideas (it's not).
Why do you want to use SAAJ instead of a higher level API like JAX-WS?