Apply security to the listed controllers and services within the admin tool so that they are only accessible by authenticated users that are members of the administrator group. You can look at the PushController for examples of how to do this and the AcademicsAuthServiceImpl.java for examples of how to get the request object in a CXF web service.
AdminService(save/delete methods only)
MembershipService (add/remove methods only)
ToolService (delete method only)