Apache Axis 2 is configured to use REST, and REST does not have message security standards.
If a service relays messages to other services, the messages are exposed to the weakest transport mechanism used between relay points. REST by itself does not include any security mechanisms, so this service relies on the transport layer for message integrity and confidentiality.
[1]
[2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management
[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A9 Insecure Communications
[4] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A9 Insufficient Transport Layer Protection
[5] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[6] Standards Mapping - FIPS200 - (FISMA) CM, SC
[7] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 311
[8] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 319
[9] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authentication
[10] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Porous Defenses - CWE ID 311
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 4.1, Requirement 6.5.10
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 4.1, Requirement 6.5.4