Greetings,
I need to create a web service to be called by a few of our external
affiliated web sites. How can I restrict web service invokation to only
these affiliated web sites?
Some of the things I came up with, but seems weak
1. Check caller's url and only accept those that are in a list of authorized
web sites. But hacker can spoof the url
2. Give each site a user name and password to send over with every call. But
we can't count on them to secure this info appropriately
3. Using x509. But that seems to be overkill. We would consider this as the
last resort.
The one thing I will stick to is requiring the web service to be called over
SSL. Unless there is some draw back to that.
Please share with me your thoughts and recommendation. Many thanks in
advance.