Web Service Facade for PHP5. Andreas Meyer, Sebastian Böttner, Stefan Marr



Similar documents
PowerCenter Real-Time Development

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2013 Consona Corporation. All rights reserved

SOAP Tips, Tricks & Tools

vcommander will use SSL and session-based authentication to secure REST web services.

Secure Authentication and Session. State Management for Web Services

Software documentation systems

Onset Computer Corporation

Using Foundstone CookieDigger to Analyze Web Session Management

Securing Web Services Using Microsoft Web Services Enhancements 1.0. Petr PALAS PortSight Software Architect

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

The BritNed Explicit Auction Management System. Kingdom Web Services Interfaces

10CS73:Web Programming

Authentication and Single Sign On

Web Application Report

An Oracle White Paper November Oracle Primavera P6 EPPM Integrations with Web Services and Events

e-filing Secure Web Service User Manual

Integration Knowledge Kit Developer Journal

Mollom client API 1.0

Improving performance for security enabled web services. - Dr. Colm Ó héigeartaigh

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

WORKING WITH WEB SERVICES. Rob Richards

Examples with.net & PHP. Martin Haagen, QlikTech, Systems Manager;

Enterprise Access Control Patterns For REST and Web APIs

Mutual Fund Web Service Developer Guide

Security Testing For RESTful Applications

ImageNow Message Agent

PHP Magic Tricks: Type Juggling. PHP Magic Tricks: Type Juggling

Instant Chime for IBM Sametime Installation Guide for Apache Tomcat and Microsoft SQL

17 March 2013 NIEM Web Services API Version 1.0 URI:

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

How to pull content from the PMP into Core Publisher

Designing RESTful Web Applications

Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3

IBM WebSphere Data Power SOA Applicances V3.8.1 Solution IMP. Version: Demo. Page <<1/10>>

SDK Code Examples Version 2.4.2

Software Requirement Specification Web Services Security

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide

W E B S E RV I C E S D Y N A M I C C L I E N T G U I D E

HireRight Integration Platform and API: HireRight Connect. Third Party Developer Guide

Mobility Information Series

KMx Enterprise: Integration Overview for Member Account Synchronization and Single Signon

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact

NetIQ Access Manager. Developer Kit 3.2. May 2012

WebService Security. A guide to set up highly secured client-server communications using WS-Security extensions to the SOAP protocol

Configuring Single Sign-on for WebVPN

1. Review of XML web services. 2. Review of WS-Security. 3. Our new formal model for SOAP security. 4. Demo of our new formal tool, TulaFale

Integrating Moodle with an external tool

HTTP and HTTPS Statistics Services

HOBOlink Web Services V2 Developer s Guide

Configuration Worksheets for Oracle WebCenter Ensemble 10.3

E*TRADE Developer Platform. Developer Guide and API Reference. October 24, 2012 API Version: v0

Course Name: Course in JSP Course Code: P5

MINISTRY OF FINANCE SYSTEM INTEGRATION PLAN ATTACHMENT NR 2 SEAP XML SPECIFICATION WEBSERVICE INTERFACE FOR EXTERNAL SYSTEMS PROJECT ECIP/SEAP

XML Processing and Web Services. Chapter 17

EUR-Lex 2012 Data Extraction using Web Services

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

ActiveVOS Server Architecture. March 2009

How To Create A C++ Web Service

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Securing JAX-RS RESTful services. Miroslav Fuksa (software developer) Michal Gajdoš (software developer)

How to consume a Domino Web Services from Visual Studio under Security

ICT. PHP coding. Universityy. in any

Developing an Interoperable Blackboard Proxy Tool

vcenter Single Sign On Programming Guide vcenter Single Sign On SDK vsphere 5.5

IPSL - PRODIGUER. Messaging Platform Design

Interwise Connect. Working with Reverse Proxy Version 7.x

Web Services for Management Perl Library VMware ESX Server 3.5, VMware ESX Server 3i version 3.5, and VMware VirtualCenter 2.5

Software Design Document Securing Web Service with Proxy

Web Services Development In a Java Environment

InternetVista Web scenario documentation

Web Application Guidelines

Web Services Security with SOAP Security Proxies

WEB SERVICES. Revised 9/29/2015

NO SQL! NO INJECTION?

Customize Mobile Apps with MicroStrategy SDK: Custom Security, Plugins, and Extensions

Lecture 8a: WWW Proxy Servers and Cookies

European Access Point for Truck Parking Data

Authentication. Agenda. IT Security course Lecture April 14 th Niels Christian Juul 2. April 14th, 2003

Integration of Hotel Property Management Systems (HPMS) with Global Internet Reservation Systems

<Insert Picture Here> Building a Complex Web Application Using ADF and Siebel

Data Breaches and Web Servers: The Giant Sucking Sound

Server based signature service. Overview

Securing Web Services From Encryption to a Web Service Security Infrastructure

What is Distributed Annotation System?

WIRIS quizzes web services Getting started with PHP and Java

ICT. Universityy. in any

Single Sign-On Implementation Guide

WEB SERVICES SECURITY

OpenESB standalone edition Version 3.0 OpenESB set up in a multiple environments context. Application configurations and variables

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

Expert PHP 5 Tools. Dirk Merkel. Chapter No.2 "Documentation with phpdocumentor"

02267: Software Development of Web Services

NYSP Web Service FAQ

No SQL! no injection? A talk on the state of NoSQL security

Secure Coding SSL, SOAP and REST. Astha Singhal Product Security Engineer salesforce.com

Easy CramBible Lab DEMO ONLY VERSION Test284,IBM WbS.DataPower SOA Appliances, Firmware V3.6.0

JASPERREPORTS SERVER WEB SERVICES GUIDE

The release notes provide details of enhancements and features in Cloudera ODBC Driver for Impala , as well as the version history.

Novell Identity Manager

Transcription:

Web Service Facade for PHP5 Andreas Meyer, Sebastian Böttner, Stefan Marr

Agenda Objectives and Status Architecture Framework Features WSD Generator PHP5 eflection API Security Aspects used approach planned techniques Web Services Security Username Token Profile 1.0 Further used WSS features Coding Guidelines PHPDoc Tags Examples based on current TT-Implementation HPI, Seminar Web Programming - WS0506 / 2

Objectives Tool for generating WSDL-files from PHP5 code Inspect code and generate XSD-files for used parameter types Building a framework Combine tools Provide SOAP-Server for TT Consider security aspects Personalized services Authentication Web-Based SOAP-Server Configuration Example implementation based on old TT database Part of framework documentation Including guidelines and hints for usage HPI, Seminar Web Programming - WS0506 / 3

Architecture Client Client HTTP/SOAP HTTP/SOAP HTTP Server PHP Engine WSDL SOAP WSD Manager SOAP Server Web Admin PHP Source Files WSDL ADO DB Pages+Nav Lectures Notes Documents Tele Task Framework Web Services Polices Tele Task DB HPI, Seminar Web Programming - WS0506 / 4

WSD Manager HPI, Seminar Web Programming - WS0506 / 5

SOAP Server SOAP Extension PHP Engine SOAP SOAP Server equest Handler PCs Security Agent WSDL WSDL File Cache WSD Manager ADO DB User Management Lectures Notes Documents Tele Task Framework Web Services Polices Tele Task DB HPI, Seminar Web Programming - WS0506 / 6

Web Admin Features Set polices for provided web services Activate classes to provide Web Services Choose published methods Only public methods Web Admin Adjust documentation published in WSDL WSD Manager Policy Plugin ADO DB Tele Task Framework Web Services Polices TT DB HPI, Seminar Web Programming - WS0506 / 7

Constrains for this Approach General expectations on classes intended to be used as Web Services Problem: inputs via SOAP are only plain objects with members, no methods HPI, Seminar Web Programming - WS0506 / 8

Status Conceptual Design Security Standards WSS Approach HTTP based Generation of WSDL- and XSD-Files Extended eflection API Example Implementation Documentation Style Guide HPI, Seminar Web Programming - WS0506 / 9

WSD Generator - PHP5 eflection API PHP5 provides complete reflection API reverse-engineer Classes Interfaces Functions Methods Extensions retrieve doc comments object-oriented extension to Zend Engine used to gather information for generate WSDL- and XSD-files HPI, Seminar Web Programming - WS0506 / 10

PHP5 eflection API HPI, Seminar Web Programming - WS0506 / 11

Security Aspects Web Service Facade for PHP5 Andreas Meyer, Sebastian Böttner, Stefan Marr

Security: Aims usage of security aspects independently from WSDL-files prevent stateful webservices general procedure a proxy catches the messages controls the security aspects forward the messages to a worker implemented classes should be unattached by security aspects implementation of two different possibilities Token Framework Username Token Profile 1.0 HPI, Seminar Web Programming - WS0506 / 13

Security: Token Framework 1/2 General Information client connects to the register server and gets a token depending on username and password by the use of this token the access to the user s functions is controlled usage of PHP sessions usage of cookies egister Server Webservice Server HTTPS Webservice Client Secure Client Session Token Session egister Global User Object Secure Server SOAP Webservice WSDL WSDL Generator HPI, Seminar Web Programming - WS0506 / 14

Security: Token Framework 2/2 Advantages usage of existing standards stateful Web Services possible Disadvantages plaintext counteractive measures SSL HTTPS stateful Web Service HPI, Seminar Web Programming - WS0506 / 15

Security: Username Token Profile 1.0 1/3 General Information implementation of parts of the OASIS Web Services Security (WSS) xml syntax: <wsse:security> <wsse:usernametoken wsu:id="our-example"> <wsse:username> Andreas </wsse:username> <wsse:password Type="...#PasswordDigest"> weyi3nxd8ljmnvksckfv8t3rghh3w== </wsse:password> <wsse:nonce> WScqanjCEAC4mQoBE07sAQ== </wsse:nonce> <wsu:created> 2003-07-16T01:24:32Z </wsu:created> </wsse:usernametoken> </wsse:security> Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) ) HPI, Seminar Web Programming - WS0506 / 16

Security: Username Token Profile 1.0 2/3 security considerations the secret is put at the end of the input an not the front replay attacks: using message timestamps, nonces and caching recommends against replay attacks: reject any UsernameToken using not both nonces and timestamps using timestamp freshness limitation and rejecting all UsernameToken with stale timestamps caching nonces for a period of time and rejecting all UsernameToken with already used nonces HPI, Seminar Web Programming - WS0506 / 17

Security: Username Token Profile 1.0 3/3 Advantages open standard (supported by IBM, SUN (java), ) independent of PHP, e.g. other clients with different programming languages can use it there are only self-writing-alternatives Disadvantages Password_Digest valid for a specified time-frame counteractive measures: one-time nonce Possibly plaintext passwords HPI, Seminar Web Programming - WS0506 / 18

Coding Guidelines Web Service Facade for PHP5 Andreas Meyer, Sebastian Böttner, Stefan Marr

Coding and Style Guidelines WSDL-files are necessary to define communication between Web Service Client and Server Interface specification of Web Service needed Documentation is added to compensate the lack of datatype info phpdocumentor-tags: existing parsers can be used common standard Enhanced readability and easier maintenance as a plus HPI, Seminar Web Programming - WS0506 / 20

WSDL Example HPI, Seminar Web Programming - WS0506 / 21

General Guidelines One header block comment per file One comment per class, method or function Short documentation for every variable DocComments start with /** and end with */, beginning with a description followed by the DocTags Maximum of 77 chars per line CamelCase, avoid underscores HPI, Seminar Web Programming - WS0506 / 22

Datatype Declaration Tags needed for WSDL Parser: @return datatype description States the datatype of the return value and additional information @var datatype description States the datatype and additional information for variables @param datatype $paramname description States the datatype and information for function arguments datatype may be Integer String Double Boolean AnyClass array of a datatype (string[], integer[], MyClass[], ) Associative arrays as: array<datatype,datatype> No mixed HPI, Seminar Web Programming - WS0506 / 23

Header Block Comments Short description Optional long description Project name At least: @package @author @copyright @license @lastchange Optional: @deprecated @internal @see @since @uses @version HPI, Seminar Web Programming - WS0506 / 24

Classes and Attributes Similar to Header Block Comments (same Tags) Optical differences for distinguishing There must be one comment for each variable At least datatype must be present Description optional HPI, Seminar Web Programming - WS0506 / 25

Methods and Functions Short description Optional long description At least @param and @return must be present if existent //end of functionname if method spans more than 15 lines HPI, Seminar Web Programming - WS0506 / 26

Control Structures //end of structure comment if structure spans more than 15 lines HPI, Seminar Web Programming - WS0506 / 27

eferences [UTP10] Web Services Security - UsernameToken Profile 1.0 OASIS Standard 200401, March 2004 http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf [WSS11] Web Services Security: SOAP Message Security 1.1 Working Draft - 07 November 2005 http://www.oasis-open.org/committees/download.php/15251/oasis-wss-soap-message-security-1.1.pdf [PHPMAN] PHP.net Manual http://www.php.net/manual/en/ref.soap.php http://www.php.net/manual/en/language.oop5.reflection.php [PEA] PEA Coding Standards http://pear.php.net/manual/en/standards.php [PHPDOC] phpdocumentor tags How to use tags in DocBlocks http://manual.phpdoc.org/htmlsmartyconverter/hands/phpdocumentor/tutorial_tags.pkg.html [XSD] XML Schema Part 2: Datatypes Second Edition http://www.w3.org/t/xmlschema-2/ [JAVADOC] How to Write Doc Comments for the Javadoc Tool http://java.sun.com/j2se/javadoc/writingdoccomments/ [STYLE] Style Guide http://www.hpi.uni-potsdam.de/fileadmin/hpi/fg_its/lecturenotes/webprogrammierung/style_guide/index.html HPI, Seminar Web Programming - WS0506 / 28

WebService Facade for PHP5 Q & A Andreas Meyer, Sebastian Böttner, Stefan Marr

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information