Encryption of WS-Security own headers is not supported. The way you should deal with the need of not sending clear passwords over the net is either leveraging a secure transport (https) or using the other features included in WS-Security Username Token profile. More in details, take a look at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf : instead of using PasswordText type, you should be using the digest.