Authentication for Web Services 
Authentication Using Mechanism or Security Token
Web service clients can authenticate themselves either by using the authentication mechanisms provided by the HTTP protocol such as basic authentication, or by adding a security token to the WS Security header. Depending on the authentication mechanism, different authentication options are available.
Default at runtime: strong
The following alternatives are available in the runtime configuration:
HTTP Authentication
X.509 Client Certificate
Logon Ticket
Alternatively:
Message Authentication
X.509 Client Certificate
SAML Assertion
Default at design time: Basic
In addition to the options listed under Strong, you must also choose one of the following security measures:
HTTP Authentication
User ID/Password
Alternatively:
Message Authentication
User ID/Password
Default at design time: None
You can select from any of the security measures, or you can choose to not make any security settings at all.
Design of Web Services in the AS ABAP and AS Java
In the ABAP application server and Java application server, you provide specifications for the authentication level when designing Web services.
For strong authentication, specify security level High. For basic authentication, specify security level Medium or Low.
Runtime Configuration in the NetWeaver Administrator
You can display the minimum security level for authentication that you have defined in the ABAP application server or Java application server in SOA Management or in SAP NetWeaver Administrator under Authentication. Ensure that you always maintain the minimum security level in the runtime configuration.
Settings for Web Services:
For Service Definitions in SAP NetWeaver Administrator under
SOA Management 
Application and Scenario Communication Single Service Administration 
on tab page Configuration and
under Design Time Configuration or also for groups of services under SOA Management Application and Scenario Communication Business Scenario Communication .For Web Service Clients in SAP Administrator under
SOA Management Application and Scenario Communication Single Service Administration on tab page Consumer
Proxies and under Design Time Configuration.
Make the following entries:
For strong authentication, choose either HTTP Authentication, Message Authentication X.509 Client Certificate, or Logon Ticket.
More information:
Configuring Transport Authentication with Assertion Tickets, Configuring SSO with X.509 Certificate Token Profiles,
To set basic authentication, choose UserID/Password either for HTTP Authentication or Message Authentication.
More information: Using Message Level Authentication
Runtime Configuration for ABAP Web Services in SOA Manager
You can also configure any Web services that you have developed on AS ABAP in SOA Manager as well (transaction SOAMANAGER). The same security mechanisms are available.
More information: Runtime Configuration with the SOA Manager