Our team is implementing SOAP-based web services using Spring-WS and XWSS. So far we've been relying on Spring-WS to generate the WSDL from our XSDs. We're now considering whether to document the security requirements in the WSDL using WS-SecurityPolicy or conveying them in a separate document. Here are the questions we're pondering:
What's the norm? Is it common to put the policy in the WSDL?
Do many (any?) client generators pick up WS-SecurityPolicy info in the WSDL?
Spring-WS doesn't support WS-SecurityPolicy when generating the WSDL. Would switching to Apache CXF help us?
Also, we're aware that REST is gaining popularity but SOAP has been designated by the powers that be. Thanks!