Web Services Security in WSF/PHP 1.3.2

With WSF/PHP 1.3.2 you can use following basic features in WS-Security.

Feature Purpose Array based Security Policy Options ($sec_policies) Security Token Options ($sec_token_options)
UsernameToken Authentication array(“useUsernameToken” => TRUE) array(“user” => “your_username”,
“password” => “your_password”,
“passwordType” => “Digest”); //Digest/Plain
Timestamp Avoid Interception,Replay Attack (use with signing) array(“includeTimeStamp” => TRUE); array(“ttl” => 100)
Signing Non-Repudiation, Verify Server/Clients identity array(“sign” => TRUE,
“algorithmSuite” => “Basic256Rsa15”,
“securityTokenReference” => “KeyIdentifier”)
array(“privateKey” => $pvt_key,
certificate” => $cert)
Encryption privacy array(“encrypt” => TRUE,
“algorithmSuite” => “Basic256Rsa15”,
“securityTokenReference” => “IssuerSerial”);
array(“privateKey” => $pvt_key,
“receiverCertificate” => $pub_key))

You can build the WSPolicy and WSSecurityToken with an any mix of above features. For some scenarios you may only need timestamp with signing where as some other critical scenarios you want signing, encryption, username token and timestamp.

Here is how you build the WSSPolicy and WSSecurityToken classes using the above mentioned $sec_policies and $sec_token_options.

$policy = new WSPolicy(array("security"=> $sec_policies));

$sec_token = new WSSecurityToken($sec_token_options);

$svr = new WSService(array("policy" => $policy,
                           "securityToken" => $sec_token,
                            "actions" => $your_actions,
                           "operations" => $your_operations));


Similarly you can use the WSPolicy and WSSecurity with WSClient for the client side security. See the samples WS-Security demos and WS-Security sources.

This blog is about some of the security features shipped with WSF/PHP 1.3.2. With the next release of WSF/PHP you will have more features related to WS-Security like WS-SecureConversations, WS-Trust and use of KeyStores for encryption and signing.

This entry was posted in security, Tutorial/Guide, web services, wsf/php, wso2 and tagged , , , , , , , , , , . Bookmark the permalink.

2 Responses to Web Services Security in WSF/PHP 1.3.2

  1. Linda Botes says:


    Is it possible to use security wiht REST in WSF? I have tried but it does not work. WSFault exception doesn’t have any info in either.


  2. dimuthu says:

    If you use REST, the only way of using security is in http level. I.e, https and basic authentication. The other SOAP security scenarios will not work.


Leave a Reply

Your email address will not be published. Required fields are marked *