I don't know the answers to all of your questions. However, I've implemented a webservice with the spring-ws/spring-security combination. There are some evolving standards to maintain state for a (soap) webservice (for instance: WS-SecureConversation).
Those aren't supported (yet?) by spring-ws, so you'll have to pass username and password with each request. You can easily do so with a SecurityInterceptor at the client side:
On the server side you'll have to have an interceptor in your endpointmapping which'll try to authenticate against the defined authentication bean.
<bean id="securityInterceptor" class="org.springframework.ws.soap.security.xwss.XwsSecurityInterceptor">
<property name="policyConfiguration" value="classpath:xwss-config.xml"/>
<property name="callbackHandler" ref="springSecurityHandler"/>
<bean id="springSecurityHandler" class="org.springframework.ws.soap.security.xwss.callback.SpringUsernamePasswordCallbackHandler"/>