@malcolmsparks: regarding authentication / authorization, I'm not sure how far you are on that front, but looking at the current implementation:

1/ it's confusing where the line between authentication and authorization lies

2/ I would guess that authentication would go all the way to validating if the credentials do indeed match to a user

3/ Whereas authorization would deal with looking if the action on the resource in question is allowed for the authenticated user

I think that currently: Service/authentication = get the auth parameters from the request, Service/authorize = make sure that the authentication data matches a user (or whatever that gives access to the system), Service/authorization = the real authorization

but that last part, shouldn't it be moved to the handler instead? the service protocol can't know if it should grant access or not, right?