in very simple language : 1-SOAP : is an standard which define , how should messages that come from entity to another entity looks like. it define the structure of xml file that contain web service request and response. so when you execute a web service you send the service container a message in soap format and the result of execution will come back in SOAP format.
XML-RPC and RPC are two method of calling a remote method :-) , it means that you can use XML-RPC or RPC to call a method in a remote computer. XML-RPC will use XML as Transfering mechanism.
2-web service can use SOAP+XML-RPC together . they use XML-RPC as a calling mechanism and SOAP as a transportation format for messages.
Be aware that "XML-RPC" has two different meanings. One is the act of performing RPC by exchanging XML messages (and the XML could be SOAP). The other is the XML-RPC protocol, which I think was a brainchild of Dave Winer. It's a simpler and less powerful alternative to SOAP, but no longer widely used, now that SOAP is supported everywhere.
The standard for WS security is called, well, "WS-Security", and implemented in Java by the WSS4J library. There was a recent article in the JavaRanch Journal that may give you some starting points.