Web services best practices
I want to do best practices now, not later. What functions should be done by the app server? What functions should be performed by dedicated Web service infrastructure? Does a Web service infrastructure exist?
The app server is the right place to implement:
The inner layer of a multi-layer security scheme (typically basic
authentication and access control based on abstract roles)
A generic Web service interface that can be reused.
The Web service infrastructure is the right place to implement:
Common policies that cut across multiple Web services
Monitoring and audit trail creation for regulatory compliance
Service level monitoring and response policies for failure to hit
The outer layers of a multi-layer security scheme (i.e. malicious
attack scanning, mapping of specific requestors to abstract roles)
A requestor specific virtual service (known as a Service View) that
maps the generic interface into the interface needed by that specific
group of requestors. Service views will vary interface elements such as
transport used (HTTP vs. MQ vs. TIBCO); standards level supported (for
SOAP, WSDL, etc.); security standards/mechanisms (which authentication
authority is used, are the messages WS-Security compliant or not); XML
document schemas; etc. etc.
This was first published in July 2004