With WSF/PHP 1.3.2 you can use following basic features in WS-Security.
| Feature | Purpose | Array based Security Policy Options ($sec_policies) | Security Token Options ($sec_token_options) |
| UsernameToken | Authentication | array(“useUsernameToken” => TRUE) | array(“user” => “your_username”, “password” => “your_password”, “passwordType” => “Digest”); //Digest/Plain |
| Timestamp | Avoid Interception,Replay Attack (use with signing) | array(“includeTimeStamp” => TRUE); | array(“ttl” => 100) |
| Signing | Non-Repudiation, Verify Server/Clients identity | array(“sign” => TRUE, “algorithmSuite” => “Basic256Rsa15″, “securityTokenReference” => “KeyIdentifier”) |
array(“privateKey” => $pvt_key, certificate” => $cert) |
| Encryption | privacy | array(“encrypt” => TRUE, “algorithmSuite” => “Basic256Rsa15″, “securityTokenReference” => “IssuerSerial”); |
array(“privateKey” => $pvt_key, “receiverCertificate” => $pub_key)) |
You can build the WSPolicy and WSSecurityToken with an any mix of above features. For some scenarios you may only need timestamp with signing where as some other critical scenarios you want signing, encryption, username token and timestamp.
Here is how you build the WSSPolicy and WSSecurityToken classes using the above mentioned $sec_policies and $sec_token_options.
$policy = new WSPolicy(array("security"=> $sec_policies)); $sec_token = new WSSecurityToken($sec_token_options); $svr = new WSService(array("policy" => $policy, "securityToken" => $sec_token, "actions" => $your_actions, "operations" => $your_operations)); $svr->reply();
Similarly you can use the WSPolicy and WSSecurity with WSClient for the client side security. See the samples WS-Security demos and WS-Security sources.
This blog is about some of the security features shipped with WSF/PHP 1.3.2. With the next release of WSF/PHP you will have more features related to WS-Security like WS-SecureConversations, WS-Trust and use of KeyStores for encryption and signing.