Prevent webservice to be called from different Client App
https://stackoverflow.com/questions/3580865
-
01-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have this webservice at work. For that webservice our department have developed a client to consume the webservice.
What we want to prevent is, that they develop any other client to consume it.
Is there any algorithm, practice that we can improve in our client and webservice communication to validate that the consuming client is our application?
I have an idea, that we can develop an encrypting algorithm about the time (5 seconds of grace) that must match with the calculated on server.
But i want to be sure, there is no best practice for that... or if it still a good idea...
(sorry about my english)
Solution
I think part of the point of web services (SOAP or REST based, for example) is to publish an interface that will let your service potentially be used by a variety of client implementations (interoperability is one of the motivations for web services).
If you want to lock your service to be used by your client, the only benefit of having it as a "web service" is probably the tools and libraries with which you've implemented it. You may want to consider whether this was worthwhile (it's possible indeed).
If you distribute your client application, chances are that whatever protection mechanism that may ensure the requests come from that client will have to be embedded with this client. Therefore whatever secret mechanism you embed will probably be only obfuscated to a certain point, but breakable by more advanced users.
OTHER TIPS
What you are looking for is known as "authentication".
You need application authentication. For Web based application and services try looking into 2-legged OAuth. In OAuth You give out an id and a secret for every client app which accesses your service and every message is signed for extra security.
