I have a problem regarding json web service security.
I tried to developed a sample web application using json webservice,but the problem is the url was exposed on the client side.So from there,anybody can make a program and call the service for a thousand times.
Please take note, that the web service will be using for a registration page, in which checks if the user was exist on the database.So there is no authentication happened on this process.
What are the approach to secure the calling of the exposed web service?
This is what I would do:
Put an authentication layer between the web service and the outside world (i.e. instead of making your webservice a public interface, make the authentication layer the public API).
Get the authenication layer to then call the webservice on behalf of the caller.
This way, you can get to implement business logic at the authentication layer – e.g. simply refuse a caller who is attempting a DOS attack, or calling form an untrusted IP address etc, etc.
Also your API is internal, so no one can get to call it (you can implement further logic in the webservice to ensure that it only handles requests from localhost.
This is the configuration I would use. generally, its not a good idea to expose an API to the public, unless you want people to call it and possibly abuse it from time to time.