I just went over the U2 Web Service Developer documentation carefully. This is really just a GUI wrapped around an HttpListener, forwarding requests to a completely "non-SOAPish" BASIC program. (Just like my web service video.) It's not a "developer" tool, it's a deployment tool. I thought they were connecting directly into U2 and wrapping data in a SOAP envelope there.
So the problem really has nothing to do with U2 Web Services, but "how do we stop anyone from accessing a privileged port on a public web server?". David, sorry if I missed comments on this before: if your web service is facing out to the internet then why can't you open a firewall port for authorized IP addresses? If firewall management isn't practical, I'd think that it would be pretty easy to use a software-based proxy that accepts connections on a socket and then forwards them to the the U2 service. You can then filter IP addresses here so that unauthorized clients never actually hit the DBMS, which I believe is your goal. If you can't find something you like (though there are any number of free/commercial offerings out there), you could write your own HttpListener, authenticate requests based on a modified querystring which you provide to your clients (you can use LDAP, IP address, or use the encryption method I described on 4-june). When you're satisfied that the client is OK, forward the request to a different local connection - the web service created with the IBM product. You're probably using U2 Web Services so that you don't need to write code. Well, it doesn't look like security is built into the software (except for SSL) so unless IBM comes up with an enhancement soon this becomes a DIY project. You can find lots of info if you search for "proxy web service". Here is one article that I believe describes your scenario - and for the "I hate Microsoft crowd" I selected something written by Java developers. ;) http://www.developer.com/java/web/article.php/3320851 Since you're a .NET developer, I'm really surprised that you see any value in this product. There are tools in our industry for BASIC programmers who don't know and don't want to know about other technologies. I think they provide a valuable service and it seems the U2 offerings fits this category. But when you know what goes under the hood and it only takes a couple minutes to do this stuff on your own, why bother with something else? The U2 Web Developer simply shifts complexities: rather than learning how to do something on your own, you're learning how they want you to do it. How much value is there to a side-ways shift in responsibility? If anyone else here finds limitations in the U2 Web Service Developer product, let me know - I'm sure I can write a replacement relatively quickly. :) Tony Gravagno Nebula Research and Development TG@ remove.pleaseNebula-RnD.com Author of web services articles for the MV market before anyone in this market was even interested in web services... nospamNebula-RnD.com/articles/ _______________________________________________ U2-Users mailing list [email protected] http://listserver.u2ug.org/mailman/listinfo/u2-users
