WS-Security support is one the most requested features for Spring-WS. While implementing this new feature, we should focus on the features included in WS-I's Basic Security profile.
Since Spring already has an excellent security framework in the form of Acegi, it seems best to leverage it. Furthermore, we can probably use Apache's WSS4J framework to handle the message.
SOAP Message Security 1.0 Specification: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf
Username Token profile V1.0: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf
X.509 Token Profile V1.0: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf
WS-I Basic Security Profile: http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html
Apache's WSS4J: http://ws.apache.org/wss4j/