Message-level security is available for web services through the use of security policy XML files, called "WS-Policy" files. The WS-Policy file defines the signature, encryption, and tokens associated with the message.
The WS-Policy file (or files) is associated with the web service file through @Policy or @Policies annotations. Note that @Policy/@Policies annotations are not required to associate a web service and a WS-Policy file: runtime association mechanisms are also available through the Administration Console. But any policy associated with a web service through @Policy/@Policies annotations cannot be disassociated at runtime: the @Policy/@Policies annotations create a hardcoded association that cannot be undone at runtime.
Note that @Policy/@Policies can be applied to both web services and service controls, but runtime association through the Administration Console only applies to web services, not service controls.
WS-Policy files may be associated with entire web service or with individual methods of the web service.
In most cases you can use one of the provided WS-Policy files: Auth.xml, Sign.xml, and Encrypt.xml. For more advanced cases you can write your own WS-Policy file.
For a detailed information about message level security with WS-Policy files see Configuring Message-Level Security (Digital Signatures and Encryption) in the WebLogic Server documentation.
For more information on updating WS-Security files to WS-Policy files, see Upgrading Annotations and Upgrading Security from from WS-Security to WS-Policy.
WebLogic Server documentation: Web Services Security
WebLogic Server documentation: Associating WS-Policy Files at Runtime Using the Administration Console