Hello everyone i want to achieve security for our ws this way:

1. We want to use Username token profile.
2. We want to achieve this by using PolicySets

3. Client must provide username(unique emailadress) and password for first request.
4. For subsequent requests user must  authenticate with token for a specified time period after that user must provide username and password again.
5. Username and Password properties also other soap message fields must be encrypted for message security .

6. Token must include nonce and created.

7. After authentication we must be able get username for ws request at service implementation.

8. We must be able to do this with using WildFly 10.0.0.Final

Any criticism, suggestions or advice for better security are welcome .
Client is Android Mobile devices which uses ksoap2 and services are ejbs runs in War on WildFly 10.0.0.Final.

I made a research for this purpose at WildFly documentation and JBoss WebServices documentation but couldn't figure out how to do it. It looks like it is possible but i don't know how.

Any help appreciated, Thanks in advance.