Applying an Authentication Policy in Composed Services 
To apply an authentication policy on your composed service, the policy details must be added directly in the WSDL file. In case you want to compose a service, you have to add a policy in the back-end service that you want to compose. Note, that in a composed service:
If you use JAX-WS generation, the resulting composed service will have no configured end point at all.
If you use SDO generation, the resulting service has an enabled end point with basic authentication by default.
If you simplify services, then you can add the policy to the simplified service later on.
For more information about adding a policy in a WSDL, see http://www.w3.org/TR/ws-policy/ and http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/ws-securitypolicy-1.2-spec-os.pdf.
Prerequisites
You work in the Service Composer perspective of the SAP NetWeaver Developer Studio.
Procedure
Import the WSDL file that you are going to use for composition in your project.
The WSDL file appears in the src/wsdl folder. You can directly open it for editing.
Open the file for editing
Add and modify according to your needs the following tag in the port type section:
Syntax<wsdl:portType name="SalesArrangementSimpleByCustomerIDQueryResponse_In"> <PolicyReference xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#P1" />
End of the code.Add and modify according to your needs the following tags in the global part of the WSDL:
Syntax<UsingPolicy xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" /> <Policy xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="P1"> <ExactlyOne> <All> <sapsession:Session xmlns:sapsession="http://www.sap.com/webas/630/soap/features/session/"> <sapsession:enableSession>true</sapsession:enableSession> </sapsession:Session> <al:AuthenticationLevel xmlns:al="http://www.sap.com/webas/630/soap/features/authentication/">None</al:AuthenticationLevel> <l:Level xmlns:l="http://www.sap.com/webas/630/soap/features/transportguarantee/">Both</l:Level> </All> </ExactlyOne> </Policy>
End of the code. Syntax<Policy xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="P2"> <ExactlyOne> <All> <sapsession:Session xmlns:sapsession="http://www.sap.com/webas/630/soap/features/session/"> <sapsession:SessionMethod>httpCookies </sapsession:SessionMethod> </sapsession:Session> <wsp:ExactlyOne xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> <wsp:All> <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken> <wsp:Policy> <sp:HttpBasicAuthentication /> </wsp:Policy> </sp:HttpsToken> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:TripleDesRsa15 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict /> </wsp:Policy> </sp:Layout> </wsp:Policy> </sp:TransportBinding> </wsp:All> </wsp:ExactlyOne> </All> </ExactlyOne> </Policy> <UsingPolicy xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" />
End of the code.Add and modify according to your needs the following tag in the binding section:
Syntax<wsdl:binding name="SalesArrangementSimpleByCustomerIDQueryResponse_InSoapBinding" type="tns:SalesArrangementSimpleByCustomerIDQueryResponse_In"> <PolicyReference xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy" URI="#P2" />
End of the code.Compose the service as normal. After you deploy the composed service, you have to configure its behavior at runtime.