Since you are most likely using SOAP over HTTP, you have the same tools used to protect other HTTP services -- you can require client certificates, restrict to certain IPs, use HTTP basic authentication, etc., which can all be set up using your web application server. But these are probably useful only if you are dealing with known clients or partners. If you truly want your web service to be available to all, I'm not sure there's much you can do. Denial of service attacks are pretty hard to fight against. There may be some anti-DoS technologies out there but I don't know much about that. I think you are correct in that a publicly available, request-scoped service could be a risk. Sorry if that's not much of an answer.
James -----Original Message----- From: Nicolas Dinh [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 10:45 AM To: [EMAIL PROTECTED] Subject: Web Service Model - Security Issues Hi, I'm still quite new to all of this. But from what I understand, one of the main goals of using a Web Service Model is to essentially make its interface universal and accessible to anyone. How does one protect one's Web Service from malicious attacks. One that comes into mind and can be done quite easily is flooding a Web Serice with SOAP calls. If the scope of the AXIS Web Service is per request, then the Web Servicee object is instantiated every time a SOAP call is made and can put quite a load or even crash the server that is hosting the Web Service? Regards, Nicolas Dinh Help STOP SPAM with the new MSN 8 and get 2 months FREE*
