NuSOAP, HTTP Authentication and HTTP Proxy

  Soap
NuSOAP and HTTP Authentication

 


I regularly receive emails from  friends messing around with nusoap asking about various features of the library. Most doubts are about HTTP Authentication and  HTTP Proxy. Here are my five cents to try and help.

If your webservice server requires http authentication don’t worry, nusoap includes the method you need : “setCredentials”. Here is an example of the simplest case:

$soapclient = new soapclient(“http://myserver/mysoapservice.php”);
$soapclient->setCredentials(“user”,”password”);

I said “the simplest case” because “setCredentials” is much more complete than this. In this case we are supposing a “Basic Authentication Type” (the one that, when set on an http page, pops up a dialog asking for a user/password pair).We set the
used authentication type with the third parameter of setCredentials, and it can be: “basic”,”digest” or “certificate”, but being “basic” the default we’ve omitted it here. When we input our username and password, their “username:password” form gets
base64 encoded and sent to the server as part of the headers.
Basic Authentication Type uses clear data(base64 is just a content transfer encoding scheme) and is therefore insecure. There are two more http authentication types we can rely on :

  • Digest Authentication Type
  • Certificate Authentication Type


On Wikipedia you will find the following definition for Digest Access Authentication:
“…… allowing user identity to be established securely without having to send a password in plaintext over the network. Digest authentication is basically an application of MD5cryptographic hashing with usage of nonce values to prevent cryptanalysis.”
This type of authentication implies  a sort of handshake between  the server and the client, to make sure “curious”  eyes are not  grabbing our  sensitive data.
You tell nusoap to use Digest Authentication by passing “digest” as third parameter to “setCredentials” and as fourth parameter an array containing the following keys:

  • “realm”
  • “nonce”
  • “nc”
  • “qop”


“realm” is the authentication realm,”nonce” stands for “number used once” and is a randomly generated value. Both these two values are retrieved from the server with a first call and are subsequently used for the real authentication process.
Basically we do a simple “GET” request to the resource for which the digest authentication is required. We’ll get back a 401 response from the server, something like this:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm=”digestedaccess”, nonce=”Ab32Hh49iueg78bdg563jsndjk”,
opaque=”0000000000000000″, stale=false, algorithm=MD5, qop=”auth”


What we are interested in here are “realm”, “nonce” and “qop” (quality of protection).  We’ll use them in the array we’ll pass as fourth parameter to “setCredentials”.  “nc” is a counter for how many times the nonce has been used.
The value “auth” for “qop” means  authentication only(it can also be “auth-int”, authentication and integrity).
With the values we have, out method call will be:

$soapclient->setCredentials(“user”,”password”,”digest”,
array(
“realm”  => “digestedaccess”,
“nonce”  =>
”Ab32Hh49iueg78bdg563jsndjk”,
“nc”        => 0,
“qop”     => “auth”
                                                  )
“);


The digest authentication type is far more secure that the “basic” one, as sensitive data are combined with server generated ones and md5 encoded. md5 is a “one-way” hashing algorithm making it difficult to retrieve clear data from the encoded result.
Even more secure is the third authentication method: the Certificate Authentication Type.
This implies using an ssl client certificate recognized by the server. To fully understand this, we’ll need to explain the basics of the “Public Key Infrastructure”, which is out of the scope of this article. You can find extensive information about it on Wikipedia .
If you want to use this authentication method with nusoap, you need to set “certificate” as the third parameter for “setCredentials” , and  as fifth parameter an array with at least the following keys:

  • “sslcertfile”,  the ssl certificate file (.pem)
  • “sslkeyfile”,  the ssl key file (.pem) of the above certificate
  • “passphrase”, the password/passphrase for the above certificate key
  • “cainfofile” (optional), the Certification Authority certificate file (.pem)

NuSOAP and HTTP Proxy

This is something I’ve been asked about a lot of time and honestly don’t know why, as long as nusoap includes a simple and self documented method for this: setHTTPProxy. Here is a simple example:

$soapclient->setHTTPProxy(“http://proxyhost”,8080,”proxy_user”,”proxy_password”);

The second parameter is obviously the proxy port.
That’s all.

LEAVE A COMMENT