SAAJ does not implement WS-Security; wss4j does. SAAJ is a low-level API for making
SOAP calls (and JAX-RPC is a higher-level API built on top of SAAJ). But neither of them deals with security.
If all you require is username/password functionality, you can probably get away with using HTTP authentication instead of WS-Security.
(Just to be clear: the client did mention SAAJ, and not JAAS?)
[ October 21, 2005: Message edited by: Ulf Dittmer ]