Securing Web Services
Last week I wrote my first web service (yay!). I am not going to write about that, as process of creating web services is nicely described at IBM developerworks. But, back to my service. The service is used to do some work that only my consumer application should be able to do. However, due to nature of it’s use, it has to be available on public server. It was after I nearly completed it, when I became aware of this issue.
Lotus Notes offers several security features for Web services (the same as for notes agents). My first thought was to just set people who can run the service, but that failed miserably, as web service consumer (another LN application) now didn’t see the service it was supposed to consume.
Next idea was to have Web Service Run as web user, but that only caused an error upon saving newly imported consumer code. Thus, Lotus Notes security failed in full (or, I just don’t know how to use it for Web Services).
Next option was to have my web service request user name and password, but for the life of me, I couldn’t find any reference as to how I would do that.
So, the only option left, and the easiest one to implement, was to just create a hash string, that web service could check and send it as part of data structure. It works nicely and provides enough security.
I do wonder why all those security options didn’t work though…
Leave a Reply