This is the WS-Security API for WSF4PHP. This API consist of WSSecurityToken and WSPolicy objects.
WSPolicy
WSPolicy object will be used to specify the policies associated with the Web Serivces. User can specify the
security related policies using this object.
WSPolicy Constructor
WSPolicy::__construct(mixed policy)
policy can be one of following.
1. xml string representing the corresponding policy.
2 dom node representing the corresponding policy.
3 array
Array of options can be sepcified using below syntax.
array("security"=>array of security options)
Description.
1. An example will be provided for the security policy as a string at the end of this document.
2. Array of options.
| Option |
Data Type |
Value Domain |
Default Value |
Description |
| sign |
string | boolean |
TRUE | "X509" |
FALSE |
Whether to sign the xml message or not.By default signing is not enabled.
If specified "sign"=>TRUE, the body part of the soap message will be signed using X509 Standard. The other avilable option is "Keberose".
Signing will be done on the body part of the message. To sign the other parts of the message, a policy file should be used. |
| encrypt |
string | boolean |
TRUE | "X509"
|
FALSE |
Whether to encrypt the xml message or not. By default encryption is not enabled.
If specified "encrypt"=>TRUE, the body part of the soap message will be encrypted using X509 Standard. The other avilable option is "Keberose".
Encrypting will be done on the body part of the message. To encrypt headers , policy file should be used. |
| algorithmSuite |
string |
corresponds to Security Policy spec 7.1 [Algorithm Suite] definitions
|
"Basic256Rsa15" |
The symetric algorithm and asymetric algorithm will be derived from the algorithm using string. If AlgorithmSuit is not specified the default value "Basic256Rsa15" will be assumed. |
| layout |
string |
"Strict" | "Lax" |
"Strict" |
These are defined in WS Security Policy Specification 1.1 section 7.7 |
| includeTimestamp |
bool |
TRUE |
FALSE |
If specified TRUE and user provided the ttl (time to live ) value when providing security token object , timestamp will be used. |
| protectionOrder |
string |
"EncryptBeforeSigning" | "SignBeforeEncrypt" |
"SignBeforeEncrypt" |
Order in which intergrity and confidentiality are applied to the message in cases where both intergrity and confidentiality are required. |
| useUsernameToken |
boolean |
TRUE |
FALSE |
If the necessary options are provided with the WSSecurityToken object and "useUsernameToken"=>TRUE , then UsernameToken will be enabled. |
| securityTokenReference |
string |
"IssuerSerial" | "KeyIdentifier"|"EmbeddedToken"
|"Thumbprint"
|
"Direct"
|
This option is common for both signing and encription.
If the user wishes to have other options he should provide the appropriate policy file. Direct Reference is treated as the default value.
|
WSSecurityToken
A PHP level object that logically represents security properties. This object will be used to specify the security properties from client
or service.
WSSecurityToken::__construct(array of options)
Options accepted in the message is specified below.
| Option |
Data Type |
Value Domain |
Default Value |
Description |
| user |
string |
string |
none |
Username |
certificate
|
string |
string
|
none |
user's certificate for sign loaded from the function get_cert_from_file()
|
| passwordType |
string |
"PlainText" |"Digest" |
Digest |
Password type used in username token |
| password |
string |
users password used for username token |
none |
User password as a string |
| privateKey |
string |
user's private key as a string |
none |
User private key loaded from the function get_key_from_file()
|
receiverCertificate
|
string |
string
|
none |
Receiver's certificate for encrypt from the function get_cert_from_file()
|
ttl
|
int
|
int
|
360 |
The time period within which the message would be valid in seconds |
| passwordCallback |
string |
string |
none |
Name of the password callback function, which is a user defined function that accepts a username and returns the corresponding password. |
Addtions to the WSClient
"policy"=>WSPolicy instance
"securityToken" => WSSecurityToken instance
Only a minimal set of securiy is processed as user options. For more complex senarios, user should provide the approriate policy file.
sample codes
1.Client gives array of options for the security policy.
$sec_arry = array( "encrypt" => TRUE,
"sign" => TRUE,
"algorithmSuite"=>"Basic256Rsa15",
"includeTimeStamp"=>TRUE,
"protectionOrder"=>"encryptBeforeSign",
"useUsernameToken" => TRUE);
$policy = new WSPolicy(array("security"=>$sec_arry));
$sec_token = new WSSecurityToken(array("user" => "user1"));
$client = new WSClient(array("to"=>"http://localhost/echo_service.php",
"policy"=>$policy,
"securityToken" => $sec_token));
1] sample policy file.
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">- <wsp:ExactlyOne>- <wsp:All>- <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">- <wsp:Policy>- <sp:InitiatorToken>- <wsp:Policy>- <sp:X509Token sp:IncludeToken="*http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always*">- <wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>- <sp:RecipientToken>- <wsp:Policy>- <sp:X509Token sp:IncludeToken="*http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always*">- <wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>- <sp:AlgorithmSuite>- <wsp:Policy>
<sp:Basic256Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>- <sp:Layout>- <wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:EncryptBeforeSigning />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>- <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">- <wsp:Policy>
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10></wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
