The application deployer is responsible for the following tasks:
Specifying at application assembly any required application-specific message protection policies if such policies have not already been specified by upstream roles (the developer or assembler).
Modifying Sun deployment descriptors to specify application-specific message protection policies information message-security-binding elements to a web service endpoint.
The application developer can setup message security but is not responsible for doing so. The system administrator can set the message security so that all Web Services are secured. The application deployer can set the message security when the provider or protection policy bound to the application must be different from that bound to the container.