Calling a web service from Javascript

What is the best way to add authentication / security while calling Web service from javascript ?

I want my web services should only get called from my application , anyone else should not be able to access my web service by copying web service URL into browser.

From the first few answers i开发者_如何转开发t seems like its next to impossible.

So what should I reply to my client as he is unaware of word impossible ?

~Ajinkya.

Have a look at using the synchroniser token pattern so that the service can only be consumed with a piece of data known to the page which loads the service reference. There's an example of doing this with a web service in OWASP Top 10 for .NET developers part 5: Cross-Site Request Forgery (CSRF). This should achieve what you're after.

This is not possible. If you allow a client to access your webservice from JavaScript, the client will always be able to do that. You can only reduce access by using some kind of constraint, like a Token that needs to be sent along with the request to authenticate it. You might even turn it into a one-time token. But this will create new problems (e.g. what happens if the answer gets lost. The client javascript cannot rerun the query).