At the moment if a Soap message contains a string in the format ${property} the property is replaced with a system property, this means in theory it would be possible for a client to get access to any system properties - especially if any fault or response messages contain fields from the incomming request.