Whatever authentication method you have used to secure your GIS services, it will eventually achieve the one thing it is intended to, authentication. However, after authentication, the transmission of packets between client and server is all done in naked plain text. If you used tokens, someone can intercept and start working on breaking your token into its main components: the username and the password. If it is a long-lived token, chances are that it might be broken. Another eavesdropper might not even need to break the token; he/she will simply listen to the transmission, borrow the token, and re-use it in a reply attack. The same applies on the Web tier security, which is why securing the very channel on which the whole thing is staged is essential to protect all communication, and this is done using the HTTPS protocol.