restrict access to Web Service to certain client applications

[Athen]

I have a web service, say the name MyWebService. This service is only
for MyClient application which means MyWebService should only serve
MyClient application. Is there a way to do this?

 

[Jeffrey Hasan]

I would recommend implementing authentication/authorization, for example
using WS-Security (with WSE 2.0). If need be, you can hardwire the "secret"
credentials into the specific client so that this is the only client whose
Web service requests will be accepted.

I'm sure you can come up with various creative ways to implement this (for
example, by examining the origin of the incoming request in the
Application_BeginRequest event handler) but any of these creative methods
will be potentially inaccurate and worse, unsecure. So I recommend
implementing WS-Security. It's easy to do with WSE 2.0, and it gives you the
flexibility to expand the audience for your Web service in the future simply
by issuing them the appropriate credentials.

Jeffrey Hasan, MCSD
President, Bluestone Partners, Inc.

 

[Athen]

Jeff,

Thank you for your info. We do use windows authentication for this web
service. But, just authentication/authorization of the user is not
enough. How about many applications running as this particular user
trying to access this web service. We only want to give access to the
particular application. I think this is some restriction check before
authentication, if the application doesn't have access to this web
service, we don't even try to authenticate the user.

Thanks!