SOAP/Web Services has a number of security/encryption points. Here are some that I can think of offhand:
1. Server container security. SSL/TLS on the entire datastream. Access control via container-managed security and URL
pattern matching against web.xml. Or, if you prefer the illusion of security while almost certainly lacking its reality, substitute a user-written Do-it-Yourself security interface. However your options for DIY security are more limited when using Axis, unless you plan to muck around inside Axis's source code.
2. Global message security. Encryption of the entire message packet. This keeps the message secure even if the message is then handed off to backend servers. However, routability suffers, since the routing information is also encrypted.
3. Content-only security. Encryption of the message contents, but not the header. Secures data while maintaining routability. However, sometimes the routability itself is informative, so not as secure as global security.
Items #2 and #3 require security built into Axis and must be configured and controlled as part of the Axis configuration. Item #1 is configured as part of the webapp configuration.