There id this existing ASP.NET (2.0) web service that's called from PHP. Runs fine. Now the need arises to restrict access. Constraint: I currently don't have access to IIS/Windows account management to implement something robust,.
I'm thinking about adding a SOAP header to the PHP call, containing a secret key, and then checking the contents of the header in the ASP.NET web service.
I'm fairly new to SOAP, so I might be way off though, any better ideas are appreciated!
SOAP Headers would work. So would a client certificate. The question will be: what can PHP handle?
I recommend the book Mastering Web services security By Bret Hartman, Donald J. Flinn, Konstantin Beznosov, Shirley Kawamoto
SUMMARY:Authorization policies
restrict access to many different
collections of ... of Web Services
security. For this scenario, we've
chosen to use ASP.NET.
Related
Q: How would you create a SSO? What would you do about authentication (separate app or same as sso) and user store?
Background info:
We have 40+ php apps, java apps and
Ruby apps.
Currently, we have a custom
SSO+authentication solution. It's an
app written in php that is now used as
SSO, while supporting
email/username/phone-number + password
as authentication. It works, but was
built for a few apps only, not
originally meant to be the SSO -
solution. It doesn't have a usable view, every app create their own login/register forms and use the API. They share context and we'd like a more universal design.
Now we know want to support Oauth and
openid solutions, as facebook connect,
google and more, (or do we really?), in addition to
existing authentications. We can
expand existing php-solution, but we
are considering alternatives.
If you were to do all this in Ruby, what would you do?
Some additional info:
All users exist in SSO, today.
The company does aquire other companies/systems at times, having their own users. Would you migrate or create some kind of mapper?
Customers in a Microsoft CRM, but I consider this unrelated. Or do I?
I've shallowly looked at RubyCAS and ClassyCAS, and don't know if they are suitable. Is CAS the way to go?
Would you keep going with php? What would you use?
As you see, I have a lot of questions. What would you suggest?
I a previous job we used Jasig CAS for SSO (several apps in Java and Python). After getting over some quirks in the configuration and my dislike of all things Java, it actually worked pretty well. At the time I found the wiki to be a valuable resource, but things might have changed in the last year.
Authentication was handled via a separate app (custom) using an OpenLDAP directory that was preinitialized with a script that got user info out of an AD server.
Regarding the actual server you might actually want to use the Jasig one, IIRC it's the reference implementation and is easy to customize via a Maven overlay.
Ruby-cas FTW.
here is my scenario, i am building a web application using PHP and MySQL. basically it is a real estate application. where i would like to share the data among several other platforms and devices, here is i what i intend to do
a) building the web app to be used with the browser using PHP, MySQL, and AJAX. (this will be my server)
b) extend the support and build a desktop application using POKKI.
c) extend the support and build an application for Androids and iOS devices.
d) all data transaction for the app should take place from the web server.
e) basically it will be server client application . where the server will be my web server and the clients will be iOS app, Android App Pokki etc.
i am not a hardcore programmer, although it has been more then 1 year since i started using PHP, and i do understand it to my use. i would like to know the best feasible solution on how to share the data among the different clients(POKKI, iOS App, Android App).
i would like to know.
a) do i have to connect to database directly from the client and access the data? is it possible? is it bad if i go this way?
b) do i have to create a public class with api sign up process? what would be the real scenario if i would like it to make it cross platform.
A Humble request to all of you to guide me on how does this things works. any articles, resources, links that can prove useful to me will also be appreciated.
thank you.
I think you should create an API which allows you to access the database strictly as you want it. Look at the twitter API for example and see how it allows third parties to access their data using simple requests.
So your site uses the DB directly where as all other applications you want to make will use the API ( which runs on ur web server)
This would allow you with the flexibility to have control who gets access and who doesnt ( only your own apps or even third parties etc etc) and allows you to build kick-ass applications without putting your actual database at risk.
Hope this helps!
1 - you should not allow client to access data directly - bad.
2 - sign up are easy with open id, let google or any other openid provider handle authentication, you deal with your own clean code without worrying about auth.
http://code.google.com/apis/accounts/docs/OpenID.html
You can create xml api and share the data from your server.
On different type of client you can eaisly parse the xml data and process it or show it.
In xml API if you want the restrict access then your can provide the restriction.
Please let me know if you have any issue
Thanks and Regards,
Ankur K Singh
take a look into getfrapi.com for building API.
I'm working on developing a native android application to retrieve data for a user from my company's website.
Because the data is specific to the user, I need to authenticate with our web server, but I'm unsure of the best way to go about this. I've been reading about REST/SOAP/HTML form auth, but I can't really find any definite 'this is how its done' anywhere. I know mobile apps do this kind of thing all the time - just look at facebook/skype/any email app - you have to login before you can do anything.
My question is - how should I architect the server side code (php) to easily allow me to authenticate a user from my android device?
I'm fairly new to the 'web service' arena - does this fall into that category? Are there any tutorials you guys would recommend looking at?
Thanks!
While I haven't developed for Android, I can suggest that you simply rely on some stateless authentication scheme, such as HTTP Basic or Digest. This means that the credentials will be passed with each and every request, and you avoid having to keep track of state, which means you can keep your API nice and RESTful.
I suspect if I were writing an android app, in most cases, I'd probably first try to get communication working with something at-least-vaguely RESTful, using HTTP Basic auth, and JSON encoding (just because PHP makes (de)serializing JSON so easy).
Of course, depending on your problem domain, that might not be ideal, but it's a good architecture to try first, because it's pretty easy all-around. If it fails you, you can go back and start swapping parts out, until you find the right architecture.
Some mobile apps use OAuth to authenticate with a web server, such as twitter has. This may not be exactly what you're looking for, but none-the-less here's an example: You would log in to web service and authenticate the mobile app (which would have requested access) to be able to utilize your data on web service, like an access key (actually called a token) with which the mobile app then utilizes to communicate with the web service on your behalf; the token could be then passed as part of the url. You'll still likely want to consider SSL or some level of encryption.
This post may also be of help for you
I am looking at ways to tie together a number of Windows-based web services together under single-sign-on. Microsoft's Windows Identity Framework and ADFS 2.0 are the perfect tools for the job, except that not all of our web services are written in .NET. One is classic ASP and another PHP. Are there existing libraries that will work for those platforms, or will I need to build them from scratch?
There are two ways to do this that I can think of off the top of my head:
Find a product that will sit in your Web server that intercepts calls, bounces unauthenticated users to an IdP, parses the responses, and puts the data in the header of the requests that it then passes on to your ASP/PHP app. There are many types of products that do this, e.g., Shibboleth SP, Ping Identity, and OpenSSO. I think Centrify DirectControl and Quest Single Sign-on might also provide this sort of capability.
Build a comparable component yourself that can do this sort of thing and leverage frameworks to help with the parsing of SAML and/or WS-Federation messages. If you take this route, check out SimpleSAMLphp and OIOSAML.NET.
HTH!
Using IIS 7.0 pipeline you can write a http module that will handle authentication for all sites hosted on the iis. (including classic asp and php).
See: MSDN article
I need to provide SSO for a Webpshere portal. The authentication process needs to be handled by a PHP site (which itself should authenticate a user against an Active Directory via LDAP - think I have this bit covered though). I have been told I need to create an LTPA cookie. How would I go about doing this? What information need to be set? Will Websphere be able to read this cookie and grant access to the user?
Websphere comes with out-of-box support of proapgation of authentication using LTPA tokens (in web apps, these are usually stored in cookies named LTPAToken and LTPAToken2).
In general, for this to work both the Websphere and your PHP app have to share the same LTPA keys (based on which the LTPA tokens are generated). In websphere administration, a little configuration is needed to enable LTPA and synchronize the keys.
However, I'm completely ignorant about PHP capabilities for this; don't know if there are any LTPA PHP libraries or a builtin Apache/PHP support for LTPA whatsoever. Googling IBM's infocenter (publib.boulder.ibm.com) may help.
This ST Awareness on a PHP page article on IBM developerWorks may help you.
There is also an example of adding awareness to an ASP page in chapter 12 of the Redbook Building Sametime Enabled Applications. It details a way of doing it if you don't have LTPA in your environment.
WAS can create a LTPA cookie with a custom TAI, please read the link below for further details:
Developing a custom trust association interceptor