Cascaded security tokens order and the Configuration

[Aws Ismail]

I have configured my web service client to Use WSDoAllSender to sign the soap request (create Signature token) and to also to create a Username token like this:   <deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">       <transport name="http" pivot="java:org.apache.axis.transport.http.HTTPSender" />       <globalConfiguration>             <requestFlow>                   <handler type="java:org.apache.ws.axis.security.WSDoAllSender">                         <parameter name="user" value="user1" />                         <parameter name="passwordCallbackClass" value="PWCallback" />                         <parameter name="action" value="Signature NoSerialization" />                         <parameter name="signaturePropFile" value="crypto.properties" />                         <parameter name="mustUnderstand" value="0" />                   </handler>                   <handler type="java:org.apache.ws.axis.security.WSDoAllSender">                         <parameter name="action" value="UsernameToken" />                         <parameter name="user" value="User1" />                         <parameter name="passwordCallbackClass" value="PWCallback" />                         <parameter name="passwordType" value="digested" />                         <parameter name="mustUnderstand" value="0" />                   </handler>             </requestFlow >       </globalConfiguration > </deployment>   And in the Server configuration is:   <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver"> <parameter name="passwordCallbackClass" value="PWCallback" />       <parameter name="action" value="Signature UsernameToken" />       <parameter name="signaturePropFile" value="crypto.properties" /> </handler>   Question 1: Everything works fine if the order of security tokens in the client side was like above, however it does not work if they were revered?! And I don’t have the control on all the clients to send first the user token then the signature in the Security header all the times?   Question 2: The PWCallback class required that I have to set the password for the identifier (on the server side) so that it can be authenticated; I have the need to authenticate through the LDAP, what is the best way to accomplish this?   Question 3: I could configure the crypto.properties to read the needed keys for signing and validating the signature from a keystore stored on the file system, how can I configure Merlin to utilize Digital Certificates stored in LDAP to do the Signature Validation?     Thanks in advanced.   Aws Ismail