None of the APIs included in JSR-172 have explicit security requirements
from the point of view of the MIDP 2.0 security architecture. However, when
a remote call is done via the Web Services API, implicitly we are accessing
the networking subsystem. Hence, there is a security risk and in many cases
this means that the user will be asked whether to allow the operation. In
case the user denies permission, SecurityException should
be thrown. This exception will be encapsulated in RemoteException,
so that from the point of view of the application developer it is just another
remote error. Signing the MIDlet and requesting the proper permissions can
alleviate this issue.
A second relevant issue is security at the level of the network connection. As it was already said, the Web Services API does not impose any particular network protocol and as such it doesn't mandate anything about network security. However, since the S60 implementation uses SOAP over HTTP, it inherits the same security features available for HTTP. In practice this means that HTTPS is supported and it can be enabled by just modifying the URL of the service endpoint. Additionally, HTTP Basic Authentication is also supported.
Finally, it should be noted that JAX-RPC as defined in JSR-172 doesn't support the WS-Security standard, which was not yet available by the time JSR-172 was released.