Although several competing standards for handling security within the web services framework are under development, as of this writing there is no accepted standard. That said, there are existing technologies you can use to secure access to your web services. ColdFusion supports web service security in two ways, at the web server level and using ColdFusion’s built-in security framework.
At the web-server level, you can protect a web service using HTTP Basic Authentication. This is done by restricting access to the directory containing the CFC you want to expose as a web service. For more information on using HTTP Basic Authentication, see Chapter 8, as well as the documentation for your particular web server.
For web services that restrict access based on HTTP Basic
Authentication, you can provide a username and password to pass along
with the call to the web service in the
tag or by registering the web service in the ColdFusion
<cfinvoke webservice="http://www.example.com/addressLookup.wsdl" returnvariable="myAddress" username="
password"> <cfinvokeargument name="userID" value="pmoney"> </cfinvoke>
password values are Base64-encoded and
in the authorization header to the target server.
You can control access to your web services at a much more granular level ...