Security is a very large topic for Service Layer implementers, and the scope is too broad for a short article like this one. So I’ll just discuss the most obvious aspect of it – user authentication.
If the Service Layer is to have great value, it needs to provide a homogeneous authentication approach. A typical goal would be to have authorization decisions somehow externalized so that the Service Layer could handle that automatically in the context of the universal authentication scheme.
Unfortunately, what we normally see is a much more difficult situation. Legacy systems were built over a long period of time by people who did not know each other, who did not share common goals, who did not understand enterprise architecture, and to whom security was a last-minute add-on. As a result, the various authentication schemes that back-end systems implement are eclectic and thus hard to mold into a seamless whole, which is the goal of the service layer.
