"Security doesn't get enough attention in SOA," warns Dennis Gaughan, senior analyst at AMR Research. Early efforts tend to focus on defining service and messaging interfaces, or on separating business and data logic from each other and from execution and presentation. But as services become widely used and adopted, retrofitting them to accommodate access control and authorization becomes very difficult.
Ask anyone in charge of constructing an SOA z(service-oriented architecture), and they'll tell you that the hardest part isn't the technology; it's redrawing the business processes that provide the basis for the architecture -- and the often contentious reshuffling of roles and responsibilities that ensues
