For user authentication, Wrexitn and CFB DynamicMessageSecurityExit allows security token to be set in Common Format Buffer (CFB) 

Similarly, can web services be used as middleware instead of CFB?

If it is used as middleware then how can the security token be passed to the server ?

For eg : How it is passed through soap header?

Release: 8.6
Component: GEN Communication Base Manager

The Security Token is not included when the Transaction Enabler (TE)  first offered as a Web Service. 

In  WSDL when TE returns for a Gen transaction, only the Client_Userid and Client_Password along with the security level (SecurityUsed or SecurityUsedEnhanced) are passed in the SOAP  request.

TE is not expecting a Security Token in the SOAP request.

TE is the only Gen product that is  enabled to accept a Web Service call besides the EJB as a Web Service.

 EJB Web Service feature is not implemented with the same security as C servers and it does not use a Security Token.