Configure https with WS-Security

Friday, May 21, 2010

Using WS-Security Username Token alone with Transport level security, HTTPS, is quite common. By default, Username token is used with WS-Security Signature. Lets look at how to configure WS-Security Username Token with WSF/PHP.

Since, by default, WSF/PHP tries to sign the username token credentials, you would need to specify client certificate and the private key for configuring Username Token.

e.g

$security_options = array("useUsernameToken" => TRUE );

$policy = new WSPolicy(array("security" => $security_options));

$security_token = new WSSecurityToken(array("user" => "Raigama",
                                            "password" => "RaigamaPW",
                                            "passwordType" => "Digest",
                                            "privateKey" => $my_key,
                                              "certificate" => $my_cert));

I have copied a code snippet from the username token sample. As you can see, we are only configuring username token by using the option useUsernameToken in the policy configuration. However, for the WSSecurityToken configuration, I have passed both the “privateKey” option and “certificate” option. The private key refer to the client’s private key and certificate refer to client’s certificate which contains the public key of the client.  This is because, by default, UsernameToken uses signature to enhance security of username token.

Often you would need to use https transport and plaintext username password instead of a signed username token.  You can easily enable this option by specifying a policy file and an empty transportBinding element within it as follows.

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:TransportBinding>
                <wsp:Policy>
                </wsp:Policy>
            </sp:TransportBinding>
            <sp:SignedSupportingTokens>
                <wsp:Policy>
                    <sp:UsernameToken
                        sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                            <sp:WssUsernameToken10 />
                        </wsp:Policy>
                    </sp:UsernameToken>
                </wsp:Policy>
            </sp:SignedSupportingTokens>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

Now create the WSPolicy object by using the policy file.

$policy = new WSPolicy($policy_string);

In the WSClient options change “to” endpoint from “http” to “https” and specify the “CACert” option.

3 comments:

CJ said...

Checked this tips. All works well. Thanks for posting. Look php tutorial.

冠慧 said...

請繼續發表好文!加油加油再加油! .................................................................

jthorhauer said...

So is this the only way to use UsernameToken without a client cert? That is, do you have to provide a custom policy file if you do not want to provide a privateKey and certificate in the WSSecurityToken. Or can you just simply create a WSSecurityToken without the privateKey and certificate attributes?