My customers' front-end allows access via an anonymous user (not logged in) or a logged-in user. My web service is backend/middleware; it always needs authentication to allow use for paying customers only.

So I was reading this article:
http://www.soapui.org/SOAP-and-WSDL/...-requests.html

And I was wondering if it would be a good design to make HTTP authentication the way a registered customer authenticates, and use SOAP WS-SEC to authenticate the customer's user?

Is something even possible with Spring Security? Or what alternative designs exist?