Newbie Soap 2.2/Axis - application level authentication - what to use?!?

[davout <da...@dsl.pipex.com>]

I'm trying to design my first web services based application, and to that
end I've been looking at both Apache 'SOAP 2.2' and 'Axis'.

For this application I will have to implement an application level
authentication scheme where an  end user has to connect/login before they
can use any of the web services (i.e. there will be a app level
authentication web service that is part of the app level web services).

Looking at the various docs and online resources I can't seem to get a
straight answer on how best to implement application level authentication
within Java based web services.

My original plan had been to have the end user connect/login to the app web
services, and for the application authentication web service to return some
form of ID token. For all subsequent soap calls the end user would include
this token in the SOAP message header. Each web service method would as a
first step check for the presense and validity of this header based ID
token.

I couldn't employ this technique with Soap 2.2 as the latter doesn't give
the Java class access to the soap message. Does Axis solve this problem?

Can anybody help me out with some ideas on how to implement app level
authentication?

The options appear to be...
* Including authentication ID's as part of the soap message
* Making the first parameter in each soap class method an authentication ID
* What else?

TIA,

	.... davout

P.S. my end product has to be compatiable across all mainstream app servers,
so I can't use a proprietary Apache solution.