ws-security，客户端组装soapXML的时候，httpstoken是在 soapXML的哪里添加呢？

Question

下面代码是参考 soapUI的源码，组装 soapXML的内容。
组装请求soapXML时候，httpstoken是在 soapXML的哪里添加呢？

        MessageFactory factory = MessageFactory.newInstance(SOAPConstants.SOAP_1_2_PROTOCOL);  
        SOAPMessage message = factory.createMessage();  
        SOAPPart soappart = message.getSOAPPart();  
        SOAPEnvelope envelope = soappart.getEnvelope();  
        SOAPBody body = envelope.getBody();  
          
        WSSecHeader wsheader = new WSSecHeader();  
        wsheader.insertSecurityHeader(soappart);  
        WSSecTimestamp timestamp = new WSSecTimestamp();  
        timestamp.setTimeToLive(360);  
        timestamp.build(soappart, wsheader);  
        WSSecUsernameToken token = new WSSecUsernameToken();  
        token.setPasswordType(WSConstants.PASSWORD\_TEXT);  
        token.setUserInfo("username", "password");  
        token.addNonce();  
        token.addCreated();  
        token.build(soappart, wsheader);  
          
          
        最后组装成：  
          
<?xml version="1.0" encoding="UTF-8" standalone="no"?>  
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">  
    <env:Header>  
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"  
                       xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"  
                       env:mustUnderstand="true">  
            <wsse:UsernameToken wsu:Id="UsernameToken-6D377F9776C32BB51C15897899608472">  
                <wsse:Username>username</wsse:Username>  
                <wsse:Password  
                        Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">  
                    password  
                </wsse:Password>  
                <wsse:Nonce  
                        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">  
                    jb/l76clft7i8mYS+nWzrA==  
                </wsse:Nonce>  
                <wsu:Created>2020-05-18T08:19:20.847Z</wsu:Created>  
            </wsse:UsernameToken>  
            <wsu:Timestamp wsu:Id="TS-6D377F9776C32BB51C15897899603871">  
                <wsu:Created>2020-05-18T08:19:20.378Z</wsu:Created>  
                <wsu:Expires>2020-05-18T08:25:20.378Z</wsu:Expires>  
            </wsu:Timestamp>  
        </wsse:Security>  
    </env:Header>  
    <env:Body />  
</env:Envelope>

下面是 httpstoken的 policy

<wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"  
                xmlns:wsp="http://www.w3.org/ns/ws-policy"  
                xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"  
                wsu:Id="WS-SP-EX2121\_binding\_policy">  
        <sp:TransportBinding>  
            <wsp:Policy>  
                <sp:TransportToken>  
                    <wsp:Policy>  
                        <sp:HttpsToken>  
                            <wsp:Policy/>  
                        </sp:HttpsToken>  
                    </wsp:Policy>  
                </sp:TransportToken>  
                <sp:AlgorithmSuite>  
                    <wsp:Policy>  
                        <sp:Basic128/>  
                    </wsp:Policy>  
                </sp:AlgorithmSuite>  
                <sp:Layout>  
                    <wsp:Policy>  
                        <sp:Strict/>  
                    </wsp:Policy>  
                </sp:Layout>  
                <sp:IncludeTimestamp/>  
            </wsp:Policy>  
        </sp:TransportBinding>  
        <sp:SupportingTokens>
            <wsp:Policy>
                <sp:UsernameToken
                        sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                    <wsp:Policy/>
                </sp:UsernameToken>       
            </wsp:Policy>
        </sp:SupportingTokens>
</wsp:Policy>