PHP Data Services With WS-Security

Earlier I wrote a blog about how to make your wordpress blog a web service using the WSF/PHP Data Services library. I will expand that post to demonstrate the use of WS-Security features with WSF/PHP.

This time it is a Tag Search service for my wordpress blog. Check the ‘Tag Search’ Data Services Demo from The only difference is here you are authenticated before accessing the service using the username tokens as specified in WS-Security.

Just look at the WSSecurity constructor in the Data Service Demo Code. You can observe 4 new parameters passed in to it. (In addition to the “config” and “operations” options)

  • policy – This is where you specify the policy governed by the service.  Here you can either use the WS-Policy compliant policy file or just a simple PHP array that contain the required security token informations.
    $sec_array = array("useUsernameToken" => TRUE);
    $policy = new WSPolicy(array("security"=>$sec_array));
  • securityToken: You specify the user parameters like how you handle the authentication and the encoding type in this option.
    $security_token = new WSSecurityToken(array("passwordCallback" => "password_callback_function",
                                           "passwordType" => "Digest"));
    /* callback function
     * @param string $username username of the client request
     * @return string $password password for that username
    function password_callback_function($username) {
        // In the real word I should authenticate users from database.
        // for this demo I have a simple if-else block
        if($username == "visitor") {
            return "visitor123";
        return "notavistor";

    Note that here you specify a callback function to the security token parameter. Inside this function you retrieve the password for the user (mostly from the database) and return. WSF/PHP will authenticate the user from these information.

  • useWSA : You need to set this option in order to generate the WS-Addressing parameters (like action) for your WSDL. WS-Addressing is required to run web services with WS-Security in WSF/PHP.
  • actions: You should provide a map of action to service operations in order to get the WS Addressing information generated with your WSDL.
    $actions = array("" => "getPosts");

    Just have a look at how these information are rendered in the generated WSDL, (Note the wsaw:action attribute in the messages inside the portType element.

After you deploy the service, it is very easy to generate a client with the WSDL. If you write clients in PHP you can use the wsdl2php tool shipping with WSF/PHP.  The code for my demo client can be found in (There I have hard coded the username and password just for the demo purpose)

This entry was posted in DataServices, security, Tutorial/Guide, web services, WSDL, wsf/php, wso2 and tagged , , , , , , . Bookmark the permalink.

5 Responses to PHP Data Services With WS-Security

  1. Toby Mccoy says:

    It displays the service, action, and this option. Think of the service as a map for 4 new parameters. There is absolutely no reason to feel intimidated in the ‘Tag Search’ because it really isn’t that hard.

  2. dimuthu says:

    Hi Toby,
    yea, “Tag Search’ is not hard. I just want to show a demo on use of WS-Security application on a PHP web service. You can apply these theories to where ever it need security in SOAP messaging.


  3. dimuthu says:

    There was a problem in the Tag Search demo which I have missed the tag_taxonomy table which keeps maps of tag to taxonomy. It is now corrected in the current online version.


  4. I’m trying to implement the example, but my WSDL does not seem to have the auth parameters:


    TRUE, “includeTimestamp”=>TRUE );
    $policy = new WSPolicy(array(“security” => $security_options));

    // setting it to the security token
    $sec_token = new WSSecurityToken(array(“passwordCallback” => “validate_api_user”,
    “passwordType” => “PlainText”));

    $service = new WSService(array(
    “policy” => $policy,
    “securityToken” => $sec_token,
    “useWSA” => TRUE,
    “classes” => array(
    “mbSOAPActivity” => array(“operations” => array(“Activity.get” => “getActivities”)),
    “mbSOAPCampaign” => array(“operations” => array(“Campaign.get” => “getCampaigns”)),
    “mbSOAPContact” => array(“operations” => array(“Contact.getLeads” => “getContactLeads”)),
    “mbSOAPEmailList” => array(“operations” => array(“EmailList.getMembers” => “getListMembers”, “EmailList.subscribe” => “subscribe”,”EmailList.unsubscribe” => “unsubscribe”, “EmailList.get” => “getEmailLists”)),
    “mbSOAPNewsletter” => array(“operations” => array(“Newsletter.get” => “getNewsletters”)),
    “mbSOAPSurvey” => array(“operations” => array(“Survey.add” => “addSurvey”, “Survey.get” => “getLeads”))


    What am I doing wrong?

  5. dimuthu says:

    You don’t need to have the policies inline in WSDL. You can provide the policy separately.

Leave a Reply

Your email address will not be published. Required fields are marked *