When the Application Server provided configuration is insufficient for your security needs, and you want to override the default protection, you can apply application-specific message security to a web service.
Application-specific security is implemented by adding the message security binding to the web service endpoint, whether it is an EJB or servlet web service endpoint. Modify Sun-specific XML files to add the message binding information.
For more details on message security binding for EJB web services, servlet web services, and clients, see the XML file descriptions in Appendix A, Deployment Descriptor Files.
For sun-ejb-jar.xml, see The sun-ejb-jar.xml File.
For sun-web.xml, see The sun-web.xml File.
For sun-application-client.xml, see The sun-application-client.xml file.
This section contains the following topics:
Using a Signature to Enable Message Protection for All Methods
Configuring Message Protection For a Specific Method Based on Digital Signatures
To enable message protection for all methods using digital signature, update the message-security-binding element for the EJB web service endpoint in the application’s sun-ejb-jar.xml file. In this file, add request-protection and response-protection elements, which are analogous to the request-policy and response-policy elements discussed in the Configuring Message Security chapter of the Sun Java System Application Server Platform Edition 8.1 2005Q2 Update 2 Administration Guide. In order to apply the same protection mechanisms for all methods, leave the method-name element blank. Configuring Message Protection For a Specific Method Based on Digital Signatures discusses listing specific methods or using wildcard characters.
This section uses the sample application discussed in Understanding and Running the Example Application to apply application-level message security in order to show only the differences necessary for protecting web services using various mechanisms.
 To enable message protection for all methods using digital
signature
To enable message protection for all methods using digital
signatureIn a text editor, open the application’s sun-ejb-jar.xml file.
For the xms example, this file is located in the directory install-dir /samples/webservices/security/ejb/apps/xms/xms-ejb/src/conf.
Modify the sun-ejb-jar.xml file by adding the message-security-binding element as shown:
<sun-ejb-jar>
  <enterprise-beans>
    <unique-id>1</unique-id>
    <ejb>
      <ejb-name>HelloWorld</ejb-name>
      <jndi-name>HelloWorld</jndi-name>
      <webservice-endpoint>
        <port-component-name>HelloIF</port-component-name>
        <endpoint-address-uri>service/HelloWorld</endpoint-address-uri>
        <message-security-binding auth-layer="SOAP">
          <message-security>
            <request-protection auth-source="content" />
            <response-protection auth-source="content"/>
          </message-security>
        </message-security-binding>
      </webservice-endpoint>
    </ejb>
  </enterprise-beans>
</sun-ejb-jar>
Compile, deploy, and run the application as described in To Run the Sample Application.
To enable message protection for a specific method, or for a set of methods that can be identified using a wildcard value, follow these steps. As in the example discussed in Using a Signature to Enable Message Protection for All Methods, to enable message protection for a specific method, update the message-security-binding element for the EJB web service endpoint in the application’s sun-ejb-jar.xml file. To this file, add request-protection and response-protection elements, which are analogous to the request-policy and response-policy elements discussed in the Configuring Message Security chapter of the Sun Java System Application Server Platform Edition 8.1 2005Q2 Update 2 Administration Guide. The Administration Guide includes a table listing the set and order of security operations for different request and response policy configurations.
This section uses the sample application discussed in Understanding and Running the Example Application to apply application-level message security in order to show only the differences necessary for protecting web services using various mechanisms.
 To enable message protection for a particular method or set
of methods using digital signature
To enable message protection for a particular method or set
of methods using digital signatureIn a text editor, open the application’s sun-ejb-jar.xml file.
For the xms example, this file is located in the directory install-dir/samples/webservices/security/ejb/apps/xms/xms-ejb/src/conf.
Modify the sun-ejb-jar.xml file by adding the message-security-binding element as shown:
<sun-ejb-jar>
  <enterprise-beans>
  <unique-id>1</unique-id>
    <ejb>
      <ejb-name>HelloWorld</ejb-name>
      <jndi-name>HelloWorld</jndi-name>
      <webservice-endpoint>
        <port-component-name>HelloIF</port-component-name>
        <endpoint-address-uri>service/HelloWorld</endpoint-address-uri>
        <message-security-binding auth-layer="SOAP">
          <message-security>
            <message>
              <java-method>
                <method-name>ejbCreate</method-name>
              </java-method>
            </message>
            <message>
              <java-method>
                <method-name>sayHello</method-name>
              </java-method>
            </message>
            <request-protection auth-source="content" />
            <response-protection auth-source="content"/>
          </message-security>
        </message-security-binding>
      </webservice-endpoint>
    </ejb>
  </enterprise-beans>
</sun-ejb-jar>
Compile, deploy, and run the application as described in To Run the Sample Application.