October 7th, 2008Test your SSL SOAP Client with an Online Service

WSF/PHP Demo Site services can be accessed via https (Secured HTTP)  transport. For an example you can access the echo service via https from https://2ec2.wso2.org/samples/echo_service.php endpoint. This can be used to identify whether you WSF/PHP instance is built with SSL enabled. (Note that from WSF/PHP 2.0.0 onwards, You have SSL enabled by default both in Linux and Windows, so for newer releases you don’t need explicitly set that when compiling).

Here is a sample client I used to connect to the https service. The only thing new from the traditional echo client is it has specified “CACert” option and the URL is pointing to a https service.

<?php
$requestPayloadString = <<<XML
<ns1:echoString xmlns:ns1="http://wso2.org/wsfphp/samples"><text>Hello World!</text></ns1:echoString>
XML;

try {

    $client = new WSClient(array( "to" => "https://2ec2.wso2.org/samples/echo_service.php",
                                "CACert" => "./resources/cacert.pem"));

    $responseMessage = $client->request( $requestPayloadString );

    printf("Response = %s <br>", htmlspecialchars($responseMessage->str));

} catch (Exception $e) {

    if ($e instanceof WSFault) {
        printf("Soap Fault: %s\\n", $e->Reason);
    } else {
        printf("Message = %s\\n",$e->getMessage());
    }

}
?>
[Ask] [Bloglines] [del.icio.us] [Digg] [diigo] [dzone] [Facebook] [Google] [MySpace] [MyWeb] [Newsvine] [PlugIM] [Reddit] [Slashdot] [Spurl] [StumbleUpon] [Twitter] [Windows Live] [Yahoo!] [Email] More »
Tutorial/Guide, security, web services, wsf/php, wso2 2 Comments »

August 14th, 2008Encrypt and Sign your SOAP messages in PHP

When you are developing a Web Service, you have to think about the security aspects of your service seriously. When it comes to security in web services you have two basic choices.

  1. Transport level security - Just SOAP over HTTPS
  2. Message level security - WS-Security

See my previous blog comparing Transport level and Message level security.

If you are satisfied with the security provided by using just ‘SOAP over HTTPS’, you can get the work done by configuring your server (Apache or IIS) to enable ssl. See http://www.onlamp.com/pub/a/onlamp/2008/03/04/step-by-step-configuring-ssl-under-apache.html for an step by step guide for configure SSL in your Apache server.

If you want message level security for your application, just use WS-Security. With WSF/PHP it is even easier to implement than SOAP over HTTPS method, because you can provide the certificates programatically in PHP and no need to do further configuration.

WSF/PHP provides you two classes in line with WSService to implement an API to provide WS-Security.

  1. WSPolicy -Let you provide rules that the engine need to follow in securing the message. E.g. 
    $policy = new WSPolicy(array("security"=> array("encrypt" => TRUE,
                    "algorithmSuite" => "Basic256Rsa15",
                    "securityTokenReference" => "IssuerSerial")));

    In fact you can load policies from an xml which adheres to the WS-SecurityPolicy specification.

  2. WSSecurityToken - Keeps the security tokens like certificates, keys, username, passwords which would be used when applying the rules specified in the policy. E.g. 
    $sec_token = new WSSecurityToken(array("privateKey" => $pvt_key,
                                       "receiverCertificate" => $pub_key));

You can see the WS-Security in action on live from http://labs.wso2.org/wsf/php/samples/security/ and security demo ource codes.

[Ask] [Bloglines] [del.icio.us] [Digg] [diigo] [dzone] [Facebook] [Google] [MySpace] [MyWeb] [Newsvine] [PlugIM] [Reddit] [Slashdot] [Spurl] [StumbleUpon] [Twitter] [Windows Live] [Yahoo!] [Email] More »
security, web services 1 Comment »