I'm going to make a SOAP like server and was wondering why most SOAP based API's used have a username, password and key to gain access.
Surely one form of ID would be enough as all three of those parameters could be just as easily spoofed as one?
janharders
12:26 pm on Sep 11, 2009 (gmt 0)
I don't know about "most" SOAP services, but I often find them to use an authorization service that hands you a auth token that you'll then use to access other services so that you won't have to supply your username and password to each individual service.
optik
2:11 pm on Sep 11, 2009 (gmt 0)
Is the any reliable way to check where a request has come from HTTP_REFERER is not reliable.
janharders
8:31 am on Sep 12, 2009 (gmt 0)
SOAP does not necessarily rely on HTTP for transportation, but if your webservice does, you might want to log REMOTE_ADDR with your requests, that's the originating IP. There is no real equivalent to HTTP_REFERER since there are no hyperlinks in SOAP, so a referrer wouldn't make sense.
