Security will be delivered in two phases.

In the initial delivery Hivedome will provide clients with a Client Key and HMAC. These strings are generated by Hivedome and are unique to each client. A call to any web service needs to be accompanied by a valid client key and a related HMAC otherwise the call will be rejected as unauthorised.

This approach is reasonably secure because although a malicious user may know, or be able to determine, the url of the services and may even be able to guess the Client Key, they would not be able to generate the HMAC as this is created by a hashing mechanism buried deep in the core ITAS 8.0 code.

However, while this approach secures against un-authenticated calls it is technically possible (though reasonable difficult) to intercept an http request within a network. The intercepted information could then in theory be deciphered and the client key and HMAC extracted. This would then enable a malicious user to interact via web services by making http requests in the necessary format accompanied by the extracted key and HMAC.

For this reason clients are not recommended to expose web services outside of their network until Web Services Security Phase II is delivered (expected delivery date Q1 2015).

Phase II of Web Services security will include session based authentication using expire-able tokens created via a GET request, an API key via a POST body argument or as a cookie.