How to do WS Security Header Authentication with a Database Using Datapower. This cannot be done using the AAA action in a policy but a custom stylesheet can be used.
The first step of the stylesheet is to extract the WS Security Header and assigning both the username and password to the variable.
<xsl:variable name=”aQuote”>'</xsl:variable>
<xsl:variable name=”dataSource” select=”‘TestDataSource'” />
<xsl:variable name=”Username”
select=”/*[local-name()=’Envelope’]/*[local-name()=’Header’]/*[local-name()=’Security’]/*[local-name()=’UsernameToken’]/*[local-name()=’Username’]” />
<xsl:variable name=”Password”
select=”/*[local-name()=’Envelope’]/*[local-name ()=’Header’]/*[local-name()=’Security’]/*[local-name()=’UsernameToken’]/*[local-name()=’Password’]” />
The second step is to build the SQL statement with the newly created variables.
<xsl:variable name=”count_sql”
select=”concat(‘select count(*) from ADMINISTRATOR.USER_REG where USER_NAME=’,$aQuote,$Username,$aQuote,’ and PASSWORD=’,$aQuote,$Password,$aQuote)” />
<xsl:variable name=”sql-output”
select=”dp:sql-execute($dataSource,$count_sql)” />
The Third step is to check if the SQL output product one successful match
<xsl:message dp:type=”sql” dp:priority=”debug”>
sql-output: <xsl:value-of select=”$sql-output” />
</xsl:message>
<xsl:variable name=”recordCount” select=”$sql-output/sql/row/column/value” />
<xsl:choose>
<!– <xsl:when test=”$sql-output = ‘1’”> –>
<xsl:when test=”count($recordCount) > 0″>
<login-msg>Successful Login!!!</login-msg>
</xsl:when>
<xsl:otherwise>
<login-msg>Failed Login!!!</login-msg>
</xsl:otherwise>
</xsl:choose>
Thys Michels Blog 
Does this way prevent SQL injection?