[wsf-c-dev] [wsf-php] Security Implementation

James Clark james at wso2.com
Tue Feb 13 23:15:16 PST 2007 

On Wed, 2007-02-14 at 11:41 +0530, Buddhika Semasinghe wrote:
> Hi;
>     In security implementation in wsf4php as we have discussed,we are 
> going to introduce a WSPolicy object.So in the policy object for the 
> time being is it better to include the security related options?. As far 
> as in my understanding we can include an option array
> 
> 1 sign => "true"|"false"
> 2.encrypt=> "true|"false"
> 3.Algorithm suite =>"sha1"|"sha256"|...
> 4.Layout   => "strict" | "Lax"|..
> 5.Timestamp
> 6. ProtectionOrder => "EncryptBefireSign"| "SignBeforeEncrypt"
> 
> So the php user can specify the options as he would like otherwise 
> default options have to be set.
> 
> Is this better way to carry on.Would like to have your comments please.

I see us going more and more in the direction of being policy-driven, so
we're going to end up with a very wide variety of policy options that
need to be specified.  Plus this will need to evolve over time and be
extensible.  So I think an approach where the user specifies policy as a
single flat options array to WSPolicy would cause us difficulty in the
future.

Instead, I would suggest an approach more like we're using with security
tokens.  The normal PHP user wouldn't use the WSPolicy constructor
directly to construct WSPolicy for a security policy. Instead they would
use a function specific to each kind of policy: these functions would
take an options array like you suggest and there would be one for
security policy (e.g. ws_security_policy).

As for the WSPolicy constructor, it would take 0 or more arguments,
where each arguments is SimpleXML/DOM/String/WSPolicy and the semantics
are that they are All'ed together (and you'll get an exception if the
XML representations are not syntactically valid as a policy expression).

So at the WSClient level you might have something like:

  policy => ws_security_policy(array("sign" => true,
                                     "algorithmSuite" => "sha256"))

We could make this a bit easier by having a few predefined global
WSPolicy variables containing recommended canned sets of security
policies (like what the Java guys have.  So you could just say:

  policy => $ws_default_signed_security_policy

or

  policy => $ws_sha256_signed_security_policy

If you want to have both an RM policy and a security policy, you could
do:

  policy => WSPolicy($ws_default_rm_policy,
$ws_default_signed_security_policy)

Or is this too sophisticated for PHP?  I guess the alternative would be
to have a nested array of options:

  policy => array( "security" => array("sign" => true,
                                       "algorithmSuite" => "sha256") )

James

More information about the Wsf-c-dev mailing list