I want to do best practices now, not later. What functions should be done by the app server? What functions should be performed by dedicated Web service infrastructure? Does a Web service infrastructure exist?
The app server is the right place to implement:
The inner layer of a multi-layer security scheme (typically basic authentication and access control based on abstract roles)
A generic Web service interface that can be reused.
The Web service infrastructure is the right place to implement:
Common policies that cut across multiple Web services
Monitoring and audit trail creation for regulatory compliance
Service level monitoring and response policies for failure to hit service levels
The outer layers of a multi-layer security scheme (i.e. malicious attack scanning, mapping of specific requestors to abstract roles)
A requestor specific virtual service (known as a Service View) that maps the generic interface into the interface needed by that specific group of requestors. Service views will vary interface elements such as transport used (HTTP vs. MQ vs. TIBCO); standards level supported (for SOAP, WSDL, etc.); security standards/mechanisms (which authentication authority is used, are the messages WS-Security compliant or not); XML document schemas; etc. etc.