Reputation: 65175
How to make a public web service API private?
I have an API, that is used by the iphone, android, and blackberry mobile application only, I dont want to let anyone else use the API or see the SOAP API.
How do I do this?
Note: If I restrict the IP and make the web service private, the mobile application will stop working, If I make it public then anyone can see the web service.
Upvotes: 6
Views: 3251
Answers (5)
Reputation: 1298
Disable WSDL, use HTTPS in combination with SOAP headers to check for credentials (send for example username and hashed passsword). Note that using HTTPS, this data is encrypted, including the SOAP header. If enough incorrect requests are logged from a certain IP, you can blacklist that IP-address for a little while.
Upvotes: 0
Reputation: 19831
First suggest is OK, stop WSDL publication, if you use this at all.
But basically you have to implement autentication/authorization mechanism for you application. There should be login method, that
- check credentials - login/password
- check http request agent settings - if it is mobile device
if two requirements match you authorize this request (by cookie for instance), or return authorization token, which will be input for all API method. If token is OK, API method work.. not - it return 404, for instance.
Upvotes: 3
Reputation: 1502376
You could potentially run it over HTTPS and require client certificates. It depends on how well the mobile platforms involved support custom client certificates. Of course, if the client certificate is copied from the application then you're just as open...
Upvotes: 0
Reputation: 1063453
Anyone can sniff the traffic, and spoof pretty much every aspect of it. So you can't block that, although encrypting the traffic will help somewhat. What you might do is restrict access to registered users, but that may not play well if your app allows unregistered usage.
Upvotes: 0
Reputation: 1039180
As a starting point you could disable the WSDL publication. This way only clients that already have generated a proxy will be able to discover and use the web service. Of course the service would still be public and anyone who knows how to properly format a SOAP request would be able to call it. A second step would consist in introducing security (private keys, HTTPS, client certificates, etc...) so that only trusted clients could consume the service.
Upvotes: 9
Related Questions
- How to make a .NET Web Api private to my application only
- How to protect a webservice in .NET from outer world except a single application?
- Make web service not accessible by browser?
- .NET Soap Service: Hide Methods without Authentication
- How to restrict webservice access to public user in asp.net
- How to create a secured/private WCF service
- How to prevent just anyone sending a request to my web service
- how to expose a service as secure?
- Keeping some web services private and others public
- How to hide a WCF service from the public?