For Apache Axis2 (the recommended implementation for web services) there are default credentials for authentication. A user has the ability to change these credentials at a global level or per service if required. To ensure that web services are not vulnerable to a security breach this default user is not authorized to access web services by default. For authorization, a web service must be associated with a security group and in turn a security role that is linked to the user (e.g. WEBSVCS) in order to access it. Ensuring the user is authorized is a manual process. Please see the Customizing Receiver Runtime Functionality section in the Cúram Web Services Guide for further details on web services and also the chapter on Authorization in this book.
For Apache Axis 1.4, i.e. legacy web services, once a process is modeled as a web service, this web service will automatically be logged into the application using default credentials. This default user is set up for authorization automatically, i.e. the user will have access to the web service created. Therefore caution is advised when making a class visible as a web service. Please see the Legacy Inbound Web Services section within the Cúram Web Services Guide.
There are a number of other topics related to the security of web services - for example, encrypting data - using Rampart. The Cúram Web Services Guide should be consulted for further details on these.