I'm developing a web service using php's SoapServer built-at school. I've run some fundamental tests also it appears to become working fine, however I have to limit who are able to make use of the service.

Presuming that only other scripts on a single server are attempting to consume my service, which they'd do that server-side (instead of with AJAX or similar means), does my service have way of determining who owns the requester?

I possibly could limit access the plan to only demands from a specific origin, but this appears either very strict or very hard to rely on, based on basically allow use of any script inside a directory versus. only specific scripts.

I am simply not obvious basically can limit access through the user around the server because the user the original asking for script is going to be www.

here are a few of the options:

  1. as vivek pointed out, a type in the url could have the desired effect, i have tried personally this many occasions, and delay pills work nicely, as well as enables you to definitely monitor who's consuming the service (different customers, different secrets)

  2. you can restrict use of the scripts by IP. this really is such as the nuke of limitations, i have seen it used mostly in places where services are granted outdoors the initial server, but in which a VPN could be an overkill.

  3. obviously, you might require full authentication, but it has an excessive amount of overhead, both when it comes to programming, and when it comes to effectiveness.

however, i have to request:

  1. if perhaps scripts on a single server are consuming the service, why turn it into a service whatsoever?
  2. for those who have (unrestricted) pages that consume this (restricted) service, what's preventing anybody from scraping individuals pages - regardless of how hard you safeguard the service?

You could implement HTTP authentication against an information source of your liking. Apache has various choices for doing Digest and Fundamental auth against an array of sources (we use mod_auth_mysql to have a php webdav solution) but PHP also offers good documentation concerning how to get it done in the application level.


Why don't you simply make the net service on the localhost vhost?

Not completely water-tight, of course but easy to implement.

Or on the vhost running on the firewalled port?


You could utilize a registration key since many famous API's do, like weather bug....

then when a request is available in, you can look into the the code and find out if the user has registered to apply your API.