This is not new functionality in WSE3.0 but I thought I'd pick it out anyway. With WSE you can pass different kinds of tokens to a service to identify yourself - out of the box these are Username, Kerberos and X509. When the service receives one of these identifying tokens it can try and work out whether that's a valid token and try to construct an identity from it (i.e. "This SOAP message came from Fred") by using a SecurityTokenManager. There are a number of SecurityTokenManager's in the framework for managing the different token types (username, kerberos, x509 and more esoteric ones). As an example, when a UsernameToken arrives at a WSE service then by default the UsernameTokenManager attempts to use the credentials supplied to log in to Windows. If that doesn't work, the message gets bounced. If you want to change this behaviour then you need to write and register your own UsernameTokenManager to do something else (perhaps look up credentials in a database). public class Manager : UsernameTokenManager...