I have an XFire web service which is using WS-Security and the User Token
with Hashed Password scheme. I have written a client for the web service in
Java and C# and both are working fine. My setup for the web service can be
seen here:
The PHP client that I've written works fine too, too fine. It ignores the
security features and processes the request and result every time I supply
any kind of a Security header. If I don't supply a Security header, it
actually comes back with a fault which is good. If I supply a Security
header with incorrect username/password information, It goes through the
WSS4JHandler and returns a response every time.
Here's the sample PHP code to reproduce the problem:
class SecurityHeader {
var $UsernameToken;
public function __construct($ut) {
$this->UsernameToken = $ut;
}
}
class UsernameToken {
var $Username;
var $Password;
var $Nonce;
var $Created;
public function __construct($u, $p, $n, $c) {
$this->Username = $u;
$this->Password = $p;
$this->Nonce = $n;
$this->Created = $c;
}
}
$usernameToken = new UsernameToken("a", "b", "c", "d");
$securityHeader = new SecurityHeader($usernameToken);
//set up the service client using WSDL
$client = new SoapClient("http://arsenalist.com/services/myservice?wsdl";);
$wrapper->in0->personId = new SoapVar("8300006", XSD_STRING);
$header = new
SoapHeader('http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd',
'Security', $securityHeader, 1);
$response = $client->__soapCall("getEmail", array($wrapper), null, $header);
// works every time
print($response->out->email);
Here is the SOAP envelope that is being sent:
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:ns1="http://vo.arsenalist.com"; xmlns:ns2="http://arsenalist.com";
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<SOAP-ENV:Header>
<ns3:Security SOAP-ENV:mustUnderstand="1">
<UsernameToken>
<Username>a</Username>
<Password>b</Password>
<Nonce>c</Nonce>
<Created>d</Created>
</UsernameToken>
</ns3:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns2:getEmail>
<ns2:in0>
<ns1:personId>8300006</ns1:personId>
</ns2:in0>
</ns2:getEmail>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
My web service is using JSR181 annotations and the entire setup is described
here:
http://arsenalist.com/2007/01/18/implementing-ws-security-with-jsr181-annotations-using-wss4j-in-xfire/
Is this a problem with XFire's WSS4J classes? Keep in mind that Java and C#
clients are forced to supply proper authentication information, it's just
the PHP client that has a very easy time getting through.
Any help is appreciated.
--
View this message in context:
http://www.nabble.com/PHP-Client-bypasses-WS-Security-tf3036639.html#a8438948
Sent from the XFire - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe from this list please visit:
http://xircles.codehaus.org/manage_email
