August 14th, 2008Encrypt and Sign your SOAP messages in PHP

When you are developing a Web Service, you have to think about the security aspects of your service seriously. When it comes to security in web services you have two basic choices.

  1. Transport level security - Just SOAP over HTTPS
  2. Message level security - WS-Security

See my previous blog comparing Transport level and Message level security.

If you are satisfied with the security provided by using just ‘SOAP over HTTPS’, you can get the work done by configuring your server (Apache or IIS) to enable ssl. See http://www.onlamp.com/pub/a/onlamp/2008/03/04/step-by-step-configuring-ssl-under-apache.html for an step by step guide for configure SSL in your Apache server.

If you want message level security for your application, just use WS-Security. With WSF/PHP it is even easier to implement than SOAP over HTTPS method, because you can provide the certificates programatically in PHP and no need to do further configuration.

WSF/PHP provides you two classes in line with WSService to implement an API to provide WS-Security.

  1. WSPolicy -Let you provide rules that the engine need to follow in securing the message. E.g. 
    $policy = new WSPolicy(array("security"=> array("encrypt" => TRUE,
                    "algorithmSuite" => "Basic256Rsa15",
                    "securityTokenReference" => "IssuerSerial")));

    In fact you can load policies from an xml which adheres to the WS-SecurityPolicy specification.

  2. WSSecurityToken - Keeps the security tokens like certificates, keys, username, passwords which would be used when applying the rules specified in the policy. E.g. 
    $sec_token = new WSSecurityToken(array("privateKey" => $pvt_key,
                                       "receiverCertificate" => $pub_key));

You can see the WS-Security in action on live from http://labs.wso2.org/wsf/php/samples/security/ and security demo ource codes.

[Ask] [Bloglines] [del.icio.us] [Digg] [diigo] [dzone] [Facebook] [Google] [MySpace] [MyWeb] [Newsvine] [PlugIM] [Reddit] [Slashdot] [Spurl] [StumbleUpon] [Twitter] [Windows Live] [Yahoo!] [Email] More »
security, web services 1 Comment »

August 14th, 2008Transport Level Security vs Message Level Security

Transport Level Security Message Level Security
Secures point to point communication.

E.g: Your browser to Apache server

 Secures end to end to end communication.

E.g. Sales Order Request application to Database updating application
Not transparent thorough multiple transport protocols, Transparent through any number of transports since it is handled at an above layer
Cannot specify different part of the message to secured idifferently Can specify which part to sign, which part to encrypt in the message, Specially useful when you have a large message and you really want to secure a small portion.
Relatively easy to attack. Relatively difficult to attack. Since the unsecured path in the message flow is minimum,
In Web Services we found this is followed by transmitting SOAP over HTTPS. In Web Services you can follow message level security by adhering to WS-Security specification.

You can find a descriptive post about the Transport Level security vs Message Level Security on http://www.xyzws.com/scdjws.do?cat=scdjws&smenu=WSGEN&article=4.

[Ask] [Bloglines] [del.icio.us] [Digg] [diigo] [dzone] [Facebook] [Google] [MySpace] [MyWeb] [Newsvine] [PlugIM] [Reddit] [Slashdot] [Spurl] [StumbleUpon] [Twitter] [Windows Live] [Yahoo!] [Email] More »
security, web services 1 Comment »