Webservices and security

May be our company is the only one wrestling with this, but every time we want to exchange data with another system we run into the same problems. I would really like some opinions how other people have handled this. First let’s say we want to consume a webservice from a company. From a security perspective the company first line of defense will be a firewall and then the webservice can be consumed. The second layer will be a SSL certificate and a username password combination. The problem is that Mendix will not provide an IP address (not even an IP range) of your cloud app. They state that IP addresses can be forged and should not be used as an security measure. But explain that to the client. They simply state that it is company policy and they need the IP. To circumvent this you could change the data pull mechanism to a push mechanism. This way you could circumvent the IP firewall problem because Mendix at their site does not use the firewall mechanism. The problem of this solution however is that although you can attach a certificate to every webservice you consume you cannot add a certificate to a webservice you publish. A feature request for this is made but low on the list and no high priority. May be it is just us and are we thinking not clearly and is there a solution that can be used now in the standard cloud. I would really like your opinion. Our opinion is that Mendix should either provide us with IP ranges so the client firewalls can be adjusted, or I should be able to add certificates to published webservices. Regards, Ronald
1 answers

We created a Java action (no input, string output) we run on the server to return its IP address. This seems to be the relevant bit:

import java.net.InetAddress;

       thisIp = InetAddress.getLocalHost();
       thisIpAddress = thisIp.getHostAddress().toString();
    catch(Exception e){}