ClientLoginHandler sends usernames and passwords in proprietary soap headers if there is an active SecurityAssociation.

This causes major problems if the client happens to be a web service:
1. This is a security vulnerability because it echos the princiapal and credential of the calling client to any destination regardless of whether it has been configured to do so.

2. It assumes that the prinicipal and credential are username & password, which ends up breaking authentication on the server side if CLIENT-CERT auth is used.

-Jason