>>>>I'm not sure what I mean. I guess I'm wondering what's stopping anyone at all from accessing the data through
>>>>the WS. Do I handle security in the DB? Or is there another approach?
>>>
>>>Well, https would certainly prevent anyone from accessing it without the proper credentials.
>>
>>Not true I'm afraid. HTTPS ensures data is encrypted but has nothing to do with Authentication/Authorisation.....
>
>Yeah, Viv ... you're right. My bad. =0(

Actually I'm wrong. A certificate is normally used to authenticate the server but you *can* use client certificates for authentication. I don't think it's used very often on 'public' sites but is an option where access will be limited.