I have a webservice that is used by inserting a piece of javascript into the page. The Javascript scans the page for a certain string and makes a request to my ASP.NET JSON WebService. The javascript then uses the JSON to display some content.
What I would idealy like to do is prevent anyone from accessing my JSON service directly.
The service is access using a jQuery Ajax Request.
Is this possible?
Best Regards, TheLorax
Not really.
If you have a known user group, you can stop others from accessing your service by issuing an API key or such. But your valid users will be able to get to your JSON in any form they please.
You could try to obfuscate things, but that is probably not worth the effort.
And since you cannot close this off, you should embrace the mashup spirit of Web 2.0 and be happy if someone accesses your service and presents the information in new, innovative ways that you have not even thought of. That should make your service more popular.
If it somehow ends up costing you real revenue, you have to rely on legal ways to stop it, as the technical measures can be circumvented.
My experience is primarily with PHP, so you might have to convert the concept to ASP.NET ;)
If the code is part of the same web app (or on the same server instance) and I want to lock it down, as in, it's behind an authentication system, I store a variable on the session saying the user is authenticated. You might be able to do the same thing with ASP.NET and the session state. Depends on if the web service or whatever is serving up the JSON has access to that users session state.
Another option is to create some sort of hash key on the server side seeded with a private key. Pass that through your requests to the JSON service which also knows the private key. Problem with this solution is it's a bit of coordination to make sure the JSON service is decrypting properly, and people still might be able to use the JSON service in other ways.