You basically need to pass a Security Token with each service invocation. On pre-invocation you do the normal access control, of post-invocation you need to filter the data-values (i.e. remove sensitive data if the security token does not have the right access. This is necessary, since we no longer have any single point of control, or trying to establish a single point of control will break the agility and time-to-marked values of your SOA.
- WebServices can lead to function oriented services, while REST can lead to a resource oriented architecture. Are both SOA?
- I don't think I understand what's meant with law 4 and 5 (I understand the words, but not what you want people to do and when)
- I think I agree with law 3, Establish service ownership and Key Performance Indicators for your services, but an example of a KPI would be helpful
- I think I agree with law 8, Security is not optional in SOA, but I don't understand what you mean by it yet
- In SOA - Is my customer the same entity as your customer? Is my product list the same as your product list? In which situations?
- [Question still to be asked..]
NB! Feel free to add any question you might have here