Use the token after authentification???

[pinouf]

hello,

I didnt know if my question is correct.

I install a bundle and login with WSSEauthentification.

/**
 * @Route("/call", name="test_call")
 * @Template()
 */
public function callAction()
{
    $curl_handle = curl_init();

    curl_setopt($curl_handle, CURLOPT_URL, 'http://localhost/wazazazaa/web/app_dev.php/getToken');
    curl_setopt($curl_handle, CURLOPT_HTTPHEADER, array($this->generate_wsse_header('user', 'userpass')));

    curl_exec($curl_handle);
    echo curl_getinfo($curl_handle, CURLINFO_HTTP_CODE); 

    curl_close($curl_handle);
    die;
}

private function generate_wsse_header($username, $secret)
{
   // date_default_timezone_set('Europe/Paris');
    $nonce = md5(rand(), true);
    $created = date(DATE_ATOM);

    $digest = base64_encode(sha1($nonce.$created.$secret,true));
    $b64nonce = base64_encode($nonce);

    return sprintf('X-WSSE: UsernameToken Username="%s", PasswordDigest="%s", Nonce="%s", Created="%s"',
        $username,
        $digest,
        $b64nonce,
        $created
    );
}

the log in is ok but how can get a token? i would like to call a webservice /api/* if only i logged in with WSSE authentification.

I have seen that the wsse authentification had a lifetime , how could i use this time when i am logged to call another webservice ??

maybe i must to use nonces?

thank to -)

[djoos]

Hi @pinouf,

WSSE authentication is perfect to secure your web service(s), but by using WSSE authentication you are not actually "logging in" to the web service, you are passing the required credentials along with the request so the web service can decide whether you're allowed to access the end point or not.

We use WSSE for our REST APIs, which are stateless ("no client context is stored between requests - each request from any client contains all of the information necessary to service the request", http://en.wikipedia.org/wiki/Representational_state_transfer), hence X-WSSE is added onto each (secured) request.

Would you be able to share a bit more of what you have in mind for your web service?

Kind regards, David

[pinouf]

Hi @djoos,

If i understood, Whenever I would like to call a webservice, i have to pass login, password, nones and date in the header?? it is strange =/

In my mind, i thought that the first request WSSE authentification by a user register in my system will give me a token valide during a lifetime. And thanks you this token i will be able to call another webservice which suppose to be log in ( for example getmyprofil or change password )

It seem that it is not that?

I have a another question, the password of user must be a plaintext?

best regards, Jm

[djoos]

Hi,

which web service are you trying to set up? If it's RESTful, it is stateless, so you'll have to pass in the credentials everytime...

I'll be able to help you out better if you give me a better understanding about what kind of web service you're working on...

Re: plain text Just like any credentials, I strongly recommend to contact your web service over HTTPS!

Thank in advance for your feedback!

[pinouf]

@djoos

sorry, i forgot to say that the webservices is REST =). !!

[djoos]

Hi,

thanks!

Well, in that case it's easy: REST is stateless, so you will have to pass on the credentials on every call - not because of WSSE, but because of REST...

Please have a read through the article I sent earlier today on Wikipedia for more information. Don't hesitate to ask me any further questions, as we've got several REST API'd applications running...

Hope this helps!

[pinouf]

yes !! your response helped me.

thank you =)

[djoos]

You're welcome, have a great evening!