I developed a SOAP web service a few months back and had similar security concerns for what was to be a "private" service available only to a business partner who is developing and supporting a web site application. It's not yet in production (awaiting someone else to make some decisions), but the security elements have been approved.
Our web service operations comprise the back-end processing for a Bill-Pay web site for a Telecom, and involves a series of requests from the web site script to the web services on the IBM i host as a customer navigates through committing a payment. The website itself has the customer-authentication routines, but to thwart someone from accessing the host web services directly, the requests must carry some key elements that match what's in the host database. And ours requires a self-signed SSL certificate, and VPN access through the firewall.
I don't know if your application has elements that the caller must "know", but mine requires a phone number, account number, and email address to be passed with the initial request. If that combination does not match active records on the host, a fail code and message are returned from the web service.
If everything is cool, the web service returns a unique sessionID number, which must accompany each subsequent call to the web service for that "session". If a call to any operation does not carry that Session ID, it fails. And the sessionID times out after a certain number of minutes since last activity.
A thread in this list back in early February may give you some additional considerations and suggestions:
http://archive.midrange.com/web400/201502/msg00000.html
Hope this helps in some small way.
Michael Koester
Programmer/Analyst
DataEast - Granite State Communications
-----Original Message-----
From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of p.Caroti
Sent: Monday, August 17, 2015 1:42 PM
To: web400@xxxxxxxxxxxx
Subject: [WEB400] put in safety my Rest Web Services
Hi
I have written and published some web Services to send and receive data
from App (Android and iOs) ; at this moment anybody that know System I ip
address and web service name could send and receive data from my System i.
My question is how could protect the Web Service's call . I was thinking
to a dynamic password linked to date and time passed as parameter in uri
..
Which technique do you use in this situations ?
Thanks in advance
As an Amazon Associate we earn from qualifying purchases.