Web Services Security in WSF/PHP 1.3.2

Posted on August 18, 2008 by dimuthu

With WSF/PHP 1.3.2 you can use following basic features in WS-Security.

Feature	Purpose	Array based Security Policy Options ($sec_policies)	Security Token Options ($sec_token_options)
UsernameToken	Authentication	array(“useUsernameToken” => TRUE)	array(“user” => “your_username”, “password” => “your_password”, “passwordType” => “Digest”); //Digest/Plain
Timestamp	Avoid Interception,Replay Attack (use with signing)	array(“includeTimeStamp” => TRUE);	array(“ttl” => 100)
Signing	Non-Repudiation, Verify Server/Clients identity	array(“sign” => TRUE, “algorithmSuite” => “Basic256Rsa15”, “securityTokenReference” => “KeyIdentifier”)	array(“privateKey” => $pvt_key, certificate” => $cert)
Encryption	privacy	array(“encrypt” => TRUE, “algorithmSuite” => “Basic256Rsa15”, “securityTokenReference” => “IssuerSerial”);	array(“privateKey” => $pvt_key, “receiverCertificate” => $pub_key))

You can build the WSPolicy and WSSecurityToken with an any mix of above features. For some scenarios you may only need timestamp with signing where as some other critical scenarios you want signing, encryption, username token and timestamp.

Here is how you build the WSSPolicy and WSSecurityToken classes using the above mentioned $sec_policies and $sec_token_options.

$policy = new WSPolicy(array("security"=> $sec_policies));

$sec_token = new WSSecurityToken($sec_token_options);

$svr = new WSService(array("policy" => $policy,
                           "securityToken" => $sec_token,
                            "actions" => $your_actions,
                           "operations" => $your_operations));

$svr->reply();

Similarly you can use the WSPolicy and WSSecurity with WSClient for the client side security. See the samples WS-Security demos and WS-Security sources.

This blog is about some of the security features shipped with WSF/PHP 1.3.2. With the next release of WSF/PHP you will have more features related to WS-Security like WS-SecureConversations, WS-Trust and use of KeyStores for encryption and signing.

This entry was posted in security, Tutorial/Guide, web services, wsf/php, wso2 and tagged 1.3.2, encryption, php, policy, security token, signing, timestamp, usernameToken, ws-security, wsf/php, wso2. Bookmark the permalink.

2 Responses to Web Services Security in WSF/PHP 1.3.2

Linda Botes says:

December 14, 2010 at 5:19 pm

Hi

Is it possible to use security wiht REST in WSF? I have tried but it does not work. WSFault exception doesn’t have any info in either.

Linda
dimuthu says:

February 9, 2011 at 4:45 am

If you use REST, the only way of using security is in http level. I.e, https and basic authentication. The other SOAP security scenarios will not work.

Thanks
Dimuthu

Leave a Reply Cancel reply

Tags
2 minutes adb axis2/c base64 binary bps carbon codegen DataService data services enterprise esb Governance guide install mashup mtom php policy registry release REST RESTful security services SOA SOAP Tools tutorial Web Service web services wordpress WS-* ws-security wsas WSClient WSDL wsdl2php wsdl generation wsdl mode wsf wsf/php wso2 xml xml schema
Archives
- July 2010 (1)
- June 2010 (1)
- May 2010 (3)
- February 2010 (1)
- January 2010 (6)
- December 2009 (1)
- November 2009 (1)
- October 2009 (2)
- August 2009 (1)
- July 2009 (3)
- June 2009 (2)
- April 2009 (1)
- March 2009 (3)
- February 2009 (4)
- January 2009 (5)
- December 2008 (12)
- November 2008 (20)
- October 2008 (21)
- September 2008 (21)
- August 2008 (9)
- July 2008 (7)
Calendar
August 2008

M T W T F S S

« Jul Sep »

1 2 3

4 5 6 7 8 9 10

11 12 13 14 15 16 17

18 19 20 21 22 23 24

25 26 27 28 29 30 31
Meta
Pages
- About
Recent Posts