有几种很好的方法可以进行身份​​验证客户端。

There are a few good ways to authenticate clients.

• 按IP地址。在Apache中，使用Allow / Deny指令。


• 通过HTTP身份验证：基本或摘要。这很好并且标准化，并使用用户名/密码进行身份验证。


• 按Cookie。您必须提供cookie。


• 通过您发明的自定义HTTP标头。

• By IP address. In Apache, use the Allow / Deny directives.
• By HTTP auth: basic or digest. This is nice and standardized, and uses usernames/passwords to authenticate.
• By cookie. You'll have to come up with the cookie.
• By a custom HTTP header that you invent.

编辑：

我一开始并没有意识到客户端代码正在调用您的Web服务。如果您让客户端Javascript这样做，那么阻止人们直接调用您的Web服务实际上是不可能的。有人可以阅读源代码。

I didn't catch at first that your web service is being called by client-side code. It is literally NOT POSSIBLE to prevent people from calling your web service directly, if you let client-side Javascript do it. Someone could just read the source code.