The application developer can implement message security, but is not responsible for doing so. Message security can be set up by the System Administrator so that all web services are secured, or set up by the Application Deployer when the Application Server provider configuration is insufficient.
The application developer is responsible for the following:
Determining if an application-specific policy is necessary for an application. If so, ensure that policy is satisfied at application assembly, or communicate the requirement for application-specific message security to the Application Deployer, or take care of implementing the application-specific policy.
Determining if message security is necessary at the Application Server level. If so, ensure that need is communicated to the System Administrator, or take care of implementing message security at the Application-Server level.
The application deployer is responsible for:
Securing the application if it has not been appropriately secured by upstream roles (the developer or assembler) and only if an application-specific policy is appropriate for the application.
Implementing application-specific security by adding the message security binding to the web service endpoint.
Modifying Sun-specific deployment descriptors to add message binding information.
The system administrator is responsible for:
Configuring message security providers on the Application Server.
Managing user databases.
Managing keystore and truststore files.
Configuring a Java Cryptography Extension (JCE) provider if using Encryption and running a version of the Java SDK prior to version 1.5.0.
Installing the samples server in order to work with the example message security applications.
A system administrator uses the Admin Console or the asadmin tool to manage server security settings and keytool to manage certificates. System administrator tasks are discussed in the Configuring Message Security chapter of the Sun Java System Application Server Enterprise Edition 8.2 Administration Guide.