What is the benefit of using of TransportBinding within policy element instead of explicitly specifying an HTTPS endpoint in the "address location" element of the WSDL file?
As I see from intercepted traffic (I'm using WireShark application for traffic capturing), even if WS-Security policy is disabled, traffic from client to server is encrypted.
For the wsdl that is used in the server, the address location is actually ignored, and it should be reset to the URL that the wsdl is served from. Let say you set it to https in the wsdl, and serve with tomcat running http on port 8080, the client that gets hold of this wsdl via the ?wsdl url will get it for http and not https.
Hence using the TransportBinding is a better way of enforcing HTTPS.