Web Services security

I am interested in getting people's take on Web Services security. What do you expect from Java in this area? What do you see as being different in your requirements for web services security from those other security models such as that in J2EE?
Thanks,
John Harby
JCP Member
JSR 155 Expert Group

I would expect web services to use https for secure communication like other J2EE apps. The difference is that J2EE apps can be end-user apps, whereas web services are likely used as a back-end interface. This would mean a difference in the login method, but the principal is the same.

Still haven't gotten around to reading Webmethod's latest paper on webservices security , but found this one which is interesting ..
http://www.line56.com/articles/default.asp?NewsID=3309

I think the P2P environment is more interesting. The authorization becomes sort of a 2-way trust model. For example, service 1 on host 1 uses method A in service 2 on host 2. There is 2-way authentication and non-repudiation allowing service 1 to know that it is invoking service 2 on host 2. But how does it know that it is invoking the same method A and that method A has not been altered? In an internet environment, this could be a concern.

I noticed an article today on Web Service Security.
http://www.infoworld.com/articles/tc/xml/02/01/14/020114tcsecure.xml