Isn't the developer portal written in Java too, probably with a mix of frameworks for different components (it certainly had a heterogenous feel on the front end)? I seem to remember some of the signon urls had .woa in them, and one of the former Struts developers mentioned a vulnerability which sounds like a likely candidate:

https://news.ycombinator.com/item?id=6081428

It'd be interesting to know after all this is over what the vulnerability was, though we'll probably never hear from Apple.