We need to call a web service, described in a wsdl and multiple technical documents.
The web service provider say they support OASIS (ws-security, http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf). There is no mention of that in the wsdl we received from the provider, though.
Management requires us to implement message encryption and signature. Previously, this was done using axis and a wsdd file.
I created a jax-ws client for the web service. Now, I'd like to add ws-security to it. If I understand it correctly, I need to write a wsit-client.xml file. However, I'm not sure if I need to reference that in wsdl. If possible, I'd like not to change it, so we don't need to change it if we get a new version. Is this possible?
Additionally, I tried to generate wsit-client.xml using netbeans. I didn't get the options for signature / encryption. Is it because there is no mention of any policy in the wsdl? We're using Eclipse, so I'm only using netbeans for a a quick test.
wsit-client.xml is basically your WSDL enriched with <wsp:Policy> declaration(s) that specifies exactly how/if to encrypt/sign/verify SOAP requests and responses.
You can see an example consumer for MCS (mutual certificate security) here:
http://java.net/projects/wsit/sources/svn/show/trunk/wsit/samples/ws-security/src/mcs?rev=7090
To answer your question, no you do not have to modify the original WSDL. Having said that, it is always highly advisable to include the policy specification inside the concrete WSDL, because the policy is an essential part of the interface contract, i.e. it must match between the consumer and provider in order for communication to succeed.