Re: [Phpgacl-general] protecting 'non-owned' pages/apps with phpgacl?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

this is the first time I have to contribute something, so this is the=20
first time I post here ;)

> sure, soap in & of itself is relatively straightforward ... but the=20
> devil's (usually) in the
> details.

That's right. There are currently three implementations of SOAP for PHP:
- nuSOAP from Dietrich Ayala
- PEAR::SOAP from the team "around" Shane Caraveo
- PHP5 SOAP extension

If you have any possibility to use PHP5, please use ext/soap. It's a=20
lot faster than the pure PHP implementations and provides a cute WSDL=20
support (incl. caching). The PHP implementations also to some extend=20
support WSDL, but since also the documentation of ext/soap is the best=20=

of all three, this should be the best choice. A starting point for=20
using ext/soap is here: http://www.zend.com/php5/articles/php5-SOAP.php
This is a tutorial by Dmitry Stogov, one of the authors of ext/soap.

> for my scenario, namely things like: encryption over the wire, setting=20=

> up .htaccess *as* the
> client, etc etc.  none of it impossible, i'm sure ...

Practical security measures for SOAP are simply:
- put your SOAP server on a https server
- use HTTP basic auth authentication for connecting for SOAP calls=20
(supported by all three implementations as far as I know)

Hm, I didn't follow the whole discussion. But from the above I assume=20
that you would like to use Basic Auth (.htaccess) as a permission=20
system on the Apache site but would like to get "the answers" not from=20=

any .htaccess file itself but from some phpgacl server attachted by=20
some means to that. If that is right, I see some major problems:
Basic Auth only knows a simple semantics: "Can X access?" - "Yes/No".=20
There is no means to ask for a specific right or to get back some=20
richer information than just yes or no. PHPgacl is just the opposite of=20=

that. It doesn't do authentication (are you who you claim to be,=20
checked by password) but does authorization (you are who you claim to=20
be, so what are you allowd to do?).

But I may be completely wrong about your goal ;)

> for those interested, a reference URL for the nuSOAP server pkgd with=20=

> phpgacl, with some
> tutorials, is at:
>
>           http://www.scottnichol.com/soap.htm

Cute thing, I didn't know that. Thanks!

> the original developer is, apparently, at:
>
> 	http://dietrich.ganx4.com/nusoap
>
> but, iiuc, has passed off development to ScottNichol, @ the above url.

Dietrich wrote the package originally as "soapx4", then this=20
development incl. Dietrich was "bought" by NuSphere, so the package was=20=

renamed to "nuSOAP". Since march 2004 development actually seems to be=20=

done by Scott.
If you really would like to dive into SOAP, I recommend to read the W3C=20=

recommendation for technical report at=20
http://www.w3.org/2000/xp/Group/. It's really understandable and=20
contains even examples of SOAP messages ;)

At least there are two talks (by me) at the last international php=20
conference in Frankfurt, Germany, which use phpgacl as a permssions=20
management back end for different protocols:
- "Creating Enterprise Grade Single Sign-On Services Using ext/soap"=20
(web page: http://www.arachnion.de/conf_talk1.html, materials at=20
http://conf.arachnion.info/SOAP_PACK.zip)
- "Sophisticated Sign-On and Authentication Structures Using XACML"=20
(web page: http://www.arachnion.de/conf_talk2.html, materials at=20
http://conf.arachnion.info/XACML_PACK.zip)

Both projects are in constant development. The sources and slides are=20
included in both zips. There's no license, use it free.

XACML seemed to me like an XML infrastructure counterpart to phpgacl so=20=

it seemed natural to wrap phpgacl up with a network layer implementing=20=

XACML on top of that. SOAP seemed to be the more "natural" way of=20
dealing with that, so there ist that second approach.

Hope that helps a bit. In case of any question etc. feel free to=20
contact me ;)

Best regards,
Volker Goebbels
--=20
Dr. Volker G=F6bbels								=
         vm...@ar...
Arachnion GmbH & Co. KG						      =
http://www.arachnion.de
Sandkaulbach 4								 =
   Tel. ++49 (0) 241 5591106
52062 Aachen						 			=
 Fax ++49 (0) 241 5591107