Theresponse policy denes the authentication policy requirements associated with response
processingperformed by the authentication provider. Policies are expressed in message
senderorder such that a requirement that encryption occur after content would mean that
themessage receiver would expect to decrypt the message before validating the signature.
Securing aWeb Service
Webservices deployed on the Enterprise Server are secured by binding SOAP layer message
securityproviders and message protection policies to the containers in which the applications
aredeployed or to web service endpoints served by the applications. SOAP layer message
securityfunctionality is congured in the client-side containers of the Enterprise Server by
bindingSOAP layer message security providers and message protection policies to the client
containersor to the portable service references declared by client applications.
Whenthe Enterprise Server is installed, SOAP layer message security providers are congured
inthe client and server-side containers of the Enterprise Server, where they are available for
bindingfor use by the containers, or by individual applications or clients deployed in the
containers.During installation, the providers are congured with a simple message protection
policythat, if bound to a container, or to an application or client in a container, would cause the
sourceof the content in all request and response messages to be authenticated by XML digital
signature.
Theadministrative interfaces of the Enterprise Server can be employed to bind the existing
providersfor use by the server-side containers of the Enterprise Server, to modify the message
protectionpolicies enforced by the providers, or to create new provider congurations with
alternativemessage protection policies. Analogous administrative operations can be performed
onthe SOAP message layer security conguration of the application client container as dened
in“Enabling Message Security for Application Clients” on page 139.
Bydefault, message layer security is disabled on the Enterprise Server. To congure message
layersecurity for the Enterprise Server follow the steps outlined in “Conguring the Enterprise
Serverfor Message Security” on page 133. If you want to cause web services security to be used to
protectall web services applications deployed on the Enterprise Server, follow the steps in
“EnablingProviders for Message Security” on page 137.
Onceyou have completed the above steps (which may include restarting the Enterprise Server),
webservices security will be applied to all web services applications deployed on the Enterprise
Server.
SecuringaWeb Service
SunGlassFishEnterprise Ser ver2.1 Administration Guide • December 2008132