AUthentification are sent normally through the soap:headers using ws-security oasis (google it ther is ton of doucmentation).
It is in the headers because it is transversal, not specifing to an endpoint.
With ws-security you can encrypt the password using various algorithm, signs it etc.
And spring-ws has interceptors for that ease the pain
You seems to want a stateful webservice instead of a stateless. This is NOT a best practice.you will NOT found any example for that in the spring documentation. You will meet issues like in a cluster environnement, the need to propagate the session used.
If your need is to avoid for every request an authentification, you can use ehcache on the server side.I have use it already with spring-ws.
With this, the authentification should be sent everytime for secured ws, and if you want, the server will really do the authentification on database, ldap or whatever just once in a day for a specific user.
Need help on Spring WS ? Do you want to shift gears and build the architecture of your spring ws with half of the price that will be for your company ? I have worked on Spring Ws 1,5 year at full time and build around80 WS with full dao testing and integration tests with Soapui with Maven 2 on hudson