Earlier I wrote a blog about how to make your wordpress blog a web service using the WSF/PHP Data Services library. I will expand that post to demonstrate the use of WS-Security features with WSF/PHP.

This time it is a Tag Search service for my wordpress blog. Check the ‘Tag Search’ Data Services Demo from http://ws.dimuthu.org/. The only difference is here you are authenticated before accessing the service using the username tokens as specified in WS-Security.

Just look at the WSSecurity constructor in the Data Service Demo Code. You can observe 4 new parameters passed in to it. (In addition to the “config” and “operations” options)

  • policy – This is where you specify the policy governed by the service.  Here you can either use the WS-Policy compliant policy file or just a simple PHP array that contain the required security token informations. 
    $sec_array = array("useUsernameToken" => TRUE);
$policy = new WSPolicy(array("security"=>$sec_array));
  • securityToken: You specify the user parameters like how you handle the authentication and the encoding type in this option. 
    $security_token = new WSSecurityToken(array("passwordCallback" => "password_callback_function",
                                       "passwordType" => "Digest"));

/* callback function
 * @param string $username username of the client request
 * @return string $password password for that username
 */
function password_callback_function($username) {
    // In the real word I should authenticate users from database.
    // for this demo I have a simple if-else block

    if($username == "visitor") {
        return "visitor123";
    }

    return "notavistor";
}

    Note that here you specify a callback function to the security token parameter. Inside this function you retrieve the password for the user (mostly from the database) and return. WSF/PHP will authenticate the user from these information.

  • useWSA : You need to set this option in order to generate the WS-Addressing parameters (like action) for your WSDL. WS-Addressing is required to run web services with WS-Security in WSF/PHP.
  • actions: You should provide a map of action to service operations in order to get the WS Addressing information generated with your WSDL. 
    $actions = array("http://ws.dimuthu.org/blog/getPosts" => "getPosts");

    Just have a look at how these information are rendered in the generated WSDL, http://ws.dimuthu.org/blog/WordpressTagSearchService.php?wsdl. (Note the wsaw:action attribute in the messages inside the portType element.

After you deploy the service, it is very easy to generate a client with the WSDL. If you write clients in PHP you can use the wsdl2php tool shipping with WSF/PHP.  The code for my demo client can be found in http://ws.dimuthu.org/source.php?src=tag.search.client. (There I have hard coded the username and password just for the demo purpose)