Service-oriented solutions typically require the services to know which user is accessing them, if this user is authenticated or not, and even if this user is authorized or not. If you don't implement these checks and if your services are hosted in a publicly available, uncontrolled environment, everyone will be able to access them. This is definitely something you don't want especially if confidential data is fetched or even edited using service calls.

So we need to make sure that certain service methods are accessible only to certain persons. A typical way of doing this is by using message-based security, which in this case means that you'd include the username/password combination ...