Hi there,

I've been working with JBoss ESB for some time now. I've written several services used to provide business functionalities. Now I'm thinking about a security mechanism for these services. However, this seems to be a complex topic.

Most important I need means for authentification. For example only trusted users should be able to access a service and provide input data for it. Are there any best practices for JBoss ESB?

One of the features I really like about JBoss ESB is the separation of business logic (in the action queue) and the transports. For webservices there exists a security framework with WS-Security, WS-Trust, XML Signature and so on. In my understanding however, these are bound to the transport "webservice". How can I achieve a separation of security issues from the transport? Is there a standard ESB-way to do it?

Any comments, links to literature concerning SOA security and so on are welcome! Thanks in advance.

-Sebastian