When the Application Server provider configuration is insufficient for your security needs, and you want to override the default protection, you can apply application-specific message security to a web service.
Application-specific security is implemented by adding the message security binding to the web service endpoint, whether it is an EJB or servlet web service endpoint. Modify Sun-specific deployment descriptor files to add the message binding information.
For more details, refer to the Securing Applications chapter of the Developers’ Guide. There is a link to this chapter in "Further Information".