Authentication and PHP

[Pills]

Hi,

I'm using SpringWS to implement some web services that my customer need to consume using PHP and default SOAP extension.

I'm using digest passwords and SimplePasswordValidationCallbackHandler. I have the following configuration:

Code:

    <bean id="passwordValidationHandler" class="org.springframework.ws.soap.security.xwss.callback.SimplePasswordValidationCallbackHandler">
        <property name="users">
            <props>
                <prop key="myuser">q5aerTWe74r</prop>
            </props>
        </property>
    </bean>

I also have a "wss-server-config.xml" with the following code:

Code:

<?xml version="1.0"?>
<xwss:SecurityConfiguration xmlns:xwss="[path to ns]">
    <xwss:RequireUsernameToken passwordDigestRequired="true" nonceRequired="false" />
</xwss:SecurityConfiguration>

Interceptors are correctly setted, if I don't authenticate, the services will kick me off (and that's normal behavior)

It works very well when I try to query them with SoapUI, but my customer has a lot of difficulties to authenticate with php.

Could you give me any hint on either 1) correctly authenticate on such a service with php or 2) change the authentication strategy so that will work with php and the default soap extension?

I must confess that I don't have solid skills with php, so it's a bit tricky for me to debug it

Any clue will be highly appreciated

Thanks

[tareq]

I suggest you configure a logging interceptor on your service to see how the incoming requests look like.

[Pills]

Hi,

thanks for the hint. Here is what I get:

Code:

DEBUG - dlDefinitionHandlerAdapter - Transforming [/services/productService/] to [http://localhost:8080/CosimooV2/services/productService/]
DEBUG - MessageDispatcherServlet   - Successfully completed request
DEBUG - MessageTracing             - Received request [SaajSoapMessage {http://cosimoo.com/pr/schemas}StaticProductListRequest]
DEBUG - adRootQNameEndpointMapping - Looking up endpoint for [{http://cosimoo.com/pr/schemas}StaticProductListRequest]
DEBUG - SoapMessageDispatcher      - Endpoint mapping [org.springframework.ws.server.endpoint.mapping.PayloadRootQNameEndpointMapping@64e5b2] has no mapping for request
DEBUG - adRootQNameEndpointMapping - Looking up endpoint for [{http://cosimoo.com/pr/schemas}StaticProductListRequest]
DEBUG - SoapMessageDispatcher      - Endpoint mapping [org.springframework.ws.server.endpoint.mapping.PayloadRootQNameEndpointMapping@2445d7] has no mapping for request
DEBUG - adRootQNameEndpointMapping - Looking up endpoint for [{http://cosimoo.com/pr/schemas}StaticProductListRequest]
DEBUG - SoapMessageDispatcher      - Endpoint mapping [org.springframework.ws.server.endpoint.mapping.PayloadRootQNameEndpointMapping@165547d] has no mapping for request
DEBUG - adRootQNameEndpointMapping - Looking up endpoint for [{http://cosimoo.com/pr/schemas}StaticProductListRequest]
DEBUG - SoapMessageDispatcher      - Endpoint mapping [org.springframework.ws.server.endpoint.mapping.PayloadRootQNameEndpointMapping@19ce9e0] maps request to endpoint [booby.webservices.products.StaticProductListEndpoint@b890dc]
DEBUG - PayloadLoggingInterceptor  - Request: <ns1:StaticProductListRequest xmlns:ns1="http://cosimoo.com/pr/schemas"><ns1:shopid>8</ns1:shopid></ns1:StaticProductListRequest>
WARN  - XwsSecurityInterceptor     - Could not validate request: com.sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]:  No Security Header found; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]:  No Security Header found
DEBUG - MessageTracing             - Sendt response [SaajSoapMessage {http://schemas.xmlsoap.org/soap/envelope/}Fault] for request [SaajSoapMessage {http://cosimoo.com/pr/schemas}StaticProductListRequest]
DEBUG - MessageDispatcherServlet   - Successfully completed request

But now, I don't know how to fix it

[Pills]

Sorry. here is the related PHP code, which produce the logging trace dumped above:

Code:

<?php
	ini_set("soap.wsdl_cache_enabled","0");	

	$options = array('trace' 			=> 1, 
					 'login' 			=> 'xxx', 
					 'password' 		=> 'yyy', 
					 'authentication' 	=> SOAP_AUTHENTICATION_DIGEST);
			
	$client = new SoapClient("http://xxx:yyy@localhost:8080/...../product.wsdl",$options);				
	
	try
	{
		$products = $client->StaticProductList(array("shopid"=>8));
	}
	catch (Exception $e)
	{
		var_dump($e);
		echo($client->__getLastRequestHeaders()."<br>");
		echo($client->__getLastRequest()."<br>");				
		echo($client->__getLastResponseHeaders());
		die();
	}	
	
	var_dump($products);
?>

[Pills]

No idea?

Too bad, I (naively) thought that web services are usefull to abstract from system and languages...

As far as I can see, this seems not to be correctly implemented everywhere...

[Pills]

I've implemented my own authentication strategy. Fields username/password are passed in the body of the query, and I control them at the beginning of each "invokeInternal" query, and throw an exception when authentication fails.

I know that this is awful, ugly, poor security, etc. but if anybody has a better solution...