Peter, I'd assume that if the data was in any way sensitive
enough to worry about that, then the service would already be
locked down for authenticated users only.
But I think the point at issue here, is even once
authenticated, if the username is an actual parameter passed to the
Webservice, the same problem will still exist, except now the user
will need to be authenticated before they can see other peoples
data.
As far as I'm aware (I'd like to be wrong) but since
WebServices usually just POJOs, they lack the normal request
information something like a Servlet can access, i.e. who is
calling me, what IP are they on, what agent made the request.
In my humble opinion, there is no "simple" solution to this
security issue. I'd really love to be wrong though.
One approach I can think of is sticking to purely using
webservices, and making it so that every client generates a digital
key pair, then transmits the public portion to be stored on the
server. In each request, they must then sign some parameter for the
webservice with their private key. Then at the server, the public
key for the username requested is used to decrypt the param, and if
it decodes to the expected value the service can send the data.
Now, the user would not only have to know someones username to
tamper with the call to the webservice, but would also have to have
the other persons private key.
I imagine the overhead and developer time would be pretty
high, but it would at least prevent them from tampering with the
soap request to ask for someones private data.
The other way might be to route requests via a servlet, and
check the username authenticated with the container matches that in
the request, and then only relay the call if it does.
edit (note): I'm basing this on my experience of WebServices
on Jboss 3.2, where the container takes care of the authentication,
then calls a POJO. I believe on .NET and maybe some more recent
Java app servers it may be possible to query the authenticated user
within a web service method. edit: actually, it seems that this is
possible on most platforms, I'd just completely forgotten about it
was no good for my requirement that the container managed and
cached authentication rather than check credentials on every
request.... also you could just use a password stored on the server
which you check with every request instead of a private key system
as i mentioned, that is almost certainly overkill.