I developed a SOAP web service a few months back and had similar security concerns for what was to be a "private" service available only to a business partner who is developing and supporting a web site application. It's not yet in production (awaiting someone else to make some decisions), but the security elements have been approved.

Our web service operations comprise the back-end processing for a Bill-Pay web site for a Telecom, and involves a series of requests from the web site script to the web services on the IBM i host as a customer navigates through committing a payment. The website itself has the customer-authentication routines, but to thwart someone from accessing the host web services directly, the requests must carry some key elements that match what's in the host database. And ours requires a self-signed SSL certificate, and VPN access through the firewall.

I don't know if your application has elements that the caller must "know", but mine requires a phone number, account number, and email address to be passed with the initial request. If that combination does not match active records on the host, a fail code and message are returned from the web service.

If everything is cool, the web service returns a unique sessionID number, which must accompany each subsequent call to the web service for that "session". If a call to any operation does not carry that Session ID, it fails. And the sessionID times out after a certain number of minutes since last activity.

A thread in this list back in early February may give you some additional considerations and suggestions: http://archive.midrange.com/web400/201502/msg00000.html

Hope this helps in some small way.

Michael Koester
Programmer/Analyst
DataEast - Granite State Communications

-----Original Message-----
From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of p.Caroti
Sent: Monday, August 17, 2015 1:42 PM
To: web400@xxxxxxxxxxxx
Subject: [WEB400] put in safety my Rest Web Services

Hi



I have written and published some web Services to send and receive data
from App (Android and iOs) ; at this moment anybody that know System I ip
address and web service name could send and receive data from my System i.
My question is how could protect the Web Service's call . I was thinking
to a dynamic password linked to date and time passed as parameter in uri
..
Which technique do you use in this situations ?



Thanks in advance



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.