In GlassFish Server, the administrator and the application deployer are expected to take primary responsibility for configuring message security. In some situations, the application developer might also contribute.
The system administrator is responsible for the following message security tasks:
Administering server security settings and certificate databases
Administering keystore and truststore files
Configuring message security providers on GlassFish Server
Turning on message security
(If needed) Installing the samples server
The application deployer is responsible for the following message security tasks:
Specifying (at application reassembly) any required application-specific message protection policies if such policies have not already been specified by the developer/assembler.
Modifying GlassFish Server deployment descriptors to specify application-specific message protection policies information (message-security-binding elements) to web service endpoint and service references.
The application developer/assembler is responsible for the following message security tasks:
Determining if an application-specific message protection policy is required by the application
If so, the developer ensures that the required policy is specified at application assembly time.
Specifying how web services should be set up for message security
Message security can be set up by the administrator so that all web services are secured, or by the application deployer when the security provider or protection policy bound to the application must be different from that bound to the container.
Turning on message security if authorized to do so by the administrator