Difference between Web Application and Web service security and functionality

I have multiple doubts regarding web application and web service security.

  1. Web application or Web services (REST or SOAP) were both deployed on server, so both must have Filter or Servlet as the first entry point through which each request passed to access any resource in side that application?

  2. If the above understanding is correct, then we can apply security (Authentication, Authorization and Integrity Constraint) as per servlet specification on both of these types of applications (Web application / Web services)? After all they both are running on servlet container and accessible through HTTP.

  3. Can we just secure any these type of applications with security measures listed in servlet specification?

  4. What are the possible ways to access the web service(SOAP/REST) i.e browser , soap UI etc ? I mean possible types of client?