In the service-oriented architecture, the components deployed on application servers are published as web services. Though many researches focus on how to authorize at the web service level currently, there is little work involving the authorization gap between the service and its component implementation. This paper tries to bridge the gap by proposing a service-oriented trust management model, which expands the application server?s capability to deal with more complex trust relationship between service users and services, and supplies a flexible trust management mechanism to integrate authentication and authorization together. Moreover, the model provides a finer granularity access control, sustains delegation between users, and has a certain extent reasoning capability. The model has been implemented in a J2EE application server, and the experiment has demonstrated that the model has high flexibility and scalability.