Web services are configured in the Spring application By default, these web services do not require authentication and information transferred to/from this service is in clear text. This could allow an attacker to access privileged operations or expose sensitive data.
Spring provides an easy mechanism to turn any Spring managed bean into web services via Spring WS or XFire. Any public method of the remoted Spring bean can be called externally and the data being passed between the client and the web service enabled objects are in clear text. The major problem with these services is that they are open by default and provide no guarantees of confidentiality or integrity out of the box.
[1] Anirvan Chakraborty , Jessica Ditt , Aleksa Vukotic , Jan Machacek ProSpring 2.5
[2] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1, Requirement 6.5.10
[3] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.4, Requirement 6.5.8
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.4, Requirement 6.5.9
[5] Gary Mak , Daniel Rubio , Josh Long Spring Recipes