Thanks for the replies Scott/Walden/Peter. Scott, you did catch that this is related to IBM IWS since I am using that wizard to create the link to my back end RPG application and it is what is converting the data returned by the RPG app into XML to send back to the consumer. I guess if I need to return a result set I forget about IWS for now and use one of the other options to create the XML with repeating groups.
In my case, I do not see us creating web services to be used directly by anyone other than a few internal developers who are asking for data for our public web site (using Dreamweaver which can consume a web service) which would be data as found in an employee directory which is all in DB2/400. Or internal developers who are creating employee/student portal based forms (developed using InfoPath which can also consume a web service) where the forms need an employees office/supervisor/cost center/ or a students major/dean/advisor. In both cases the end user of the web site may or may not be on campus behind our firewall at the time they make the request. I will need to do some experiments to see what IP address the web service sees, the IP address of the web server or the IP address of the end user. If it is the server I can just test for a few valid IP addresses to take care of security or give each a unique password that they can hide in the request. Or if the RPG web service can also use the CGI APIs to get at cookies on the client machine (created when anyone authenticates to the portal) I could just tap into our existing security cookie which the iSeries is already playing a roll in. That cookie would tell me who the actual end user is.
-----Original Message-----
From: web400-bounces@xxxxxxxxxxxx [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Scott Klement
Sent: Tuesday, February 10, 2009 7:31 PM
To: Web Enabling the AS400 / iSeries
Subject: Re: [WEB400] my first web service
Hi Mike,
Can a web service return a result set in the same way a stored procedure can?
Are you asking whether web services in general can do this? Or whether
the IBM-provided Integrated Web Services (IWS) tool can do this?
Web services in general can certainly do this. However, I'm pretty sure
IWS cannot.
Are there any additional security issues I now need to think about
like how to protect my web services from only being used by the
people I want to allow to use them, most of whom will be using PC
based products to request data.
Yes, I'd think about those things! :) I'd have a userid/password or
some similar mechanism (digital key?) that's provided when your web
service is accessed. I'd also require SSL so that the aforementioned
userid/password/key cannot be sniffed from the network. Especially if
you intend to make this application available over the Internet.
You could potentially use client-side SSL certificates in place of a
digital key. I would only attempt that, however, if you are providing
the software for both ends of the conversation. It would be very
difficult to implement if you want to allow clients to be able to
integrate your service into their own applications. (Which is what web
services were really designed for...)
midrange.com
