Your question is a little difficult for me to answer, because it is so broad, but I'll try.
The APIs and technologies you mention allow for a variety of security possibilities. Also, the JAX-WS tools may be used for building pieces of client-side applications, or even stand-alone applications. For example, you can use the XML schema compiler to create Java classes that are used solely for processing an XML data file. For the most part, however, these are server-side tools and APIs. There are two broad pieces of the security puzzle that are addressed in some way by all. Message security and network connection security. I forget where, but somewhere in the Sun documentation is a nice matrix summarizing these. The network connection security is what is provided by TLS/SSL, and for which the client certificates you have mentioned might by employed. TLS/SSL doesn't care about the content that goes over the connection. It only provides a secure pipe to transfer data between network peers. It will authenticate the server and optionally the client and then encrypt all the data sent. It is with client certificates that the client-side of the connection is authenticated. Message security is concerned with the contents of what is being sent, i.e. the "message". This involves the notions of a sender and a recipient, just like in e-mail. The sender applies security to the message, for example, encryption and digital signatures, and the result is a secured message. This secured message is the sent to the recipient, possibly over SSL or possibly not. It cannot be decrypted by anyone except the recipient. Message security functionality is provided by XML encryption and XML digital signature APIs and tools.
PS. The reference to the Sun docs I referred to above come from the
Sun Java Web Services Tutorial, which in turn is from
Security Challenges, Threats, and Countermeasures [ December 15, 2007: Message edited by: greg stark ]