Re: [Phpgacl-general] protecting 'non-owned' pages/apps with phpgacl?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

hi volker,

> this is the first time I have to contribute something, so this is the
> first time I post here ;)

thanks for your reply, both here & off list!

>> sure, soap in & of itself is relatively straightforward ... but the
>> devil's (usually) in the
>> details.
> 
> That's right. There are currently three implementations of SOAP for PHP:
> - nuSOAP from Dietrich Ayala
> - PEAR::SOAP from the team "around" Shane Caraveo
> - PHP5 SOAP extension

good. that's what i've found.

> If you have any possibility to use PHP5,
> please use ext/soap.

yes, i'm currently using PHP 5.1.1 ... with "--soap-enabled"

php -i | grep -i soap
	Soap Client => enabled
	Soap Server => enabled
	soap.wsdl_cache_dir => /tmp => /tmp
	soap.wsdl_cache_enabled => 1 => 1
	soap.wsdl_cache_ttl => 86400 => 86400

will its presence as an extension 'interfere' with nuSOAP, or 'other' soap implementations?  at
first glance, it does not seem like it matters at all.

> It's a lot
> faster than the pure PHP implementations and provides a cute WSDL
> support (incl. caching). The PHP implementations also to some extend
> support WSDL, but since also the documentation of ext/soap is the best
> of all three, this should be the best choice. A starting point for using
> ext/soap is here: http://www.zend.com/php5/articles/php5-SOAP.php
> This is a tutorial by Dmitry Stogov, one of the authors of ext/soap.

thanks for the pointer & reference.

even if it's 'advantageous' to switch-to/use ext/soap, it's not clear to me, yet, whether
there's any particular *dependence* on nuSOAP that phpgacl has, other than it is bundled.

as SOAP is supposed to be portable, i'm guessing the change to use etx/soap as the server would
be trivial ... thoughts?

>> for my scenario, namely things like: encryption over the wire, setting
>> up .htaccess *as* the
>> client, etc etc.  none of it impossible, i'm sure ...
> 
> Practical security measures for SOAP are simply:
> - put your SOAP server on a https server

clear.

> - use HTTP basic auth authentication for connecting for SOAP calls
> (supported by all three implementations as far as I know)

clear.

> Hm, I didn't follow the whole discussion. But from the above I assume
> that you would like to use Basic Auth (.htaccess) as a permission system
> on the Apache site but would like to get "the answers" not from any
> .htaccess file itself but from some phpgacl server attachted by some
> means to that. If that is right, 
[snip]
> But I may be completely wrong about your goal ;)

a little bit ...

for all the source (PHP &/or otherwise ...) that *i* write/control, i intend to invoke/use
phpgacl, with all its fine-grained control.

my 'challenge' at the moment is to how to use phpgacl to provide "single sign on"(-ish) control
of access to OTHER apps (like blogs, forums, etc, etc), that are in my site hierarchy, but that
i do NOT control.

as i see it, my options to do so are/include:

(1) full integration of phpgacl into those apps as a perms system best ... best, but not an easy
undertaking -- politically or technically.
(2) add phpgacl headers to each of the 3rd party apps' pages ... yuck!
(3) use a 3rd party .htaccess-level control script (e.g. Password Sentry) in addition to phpgacl
to control those areas of the site NOT under "full" phpgacl control
(4) access/use phpgacl's auth data -- via soap -- to provide that .htaccess-level auth/control

NOTE: --> (4) is the "target" i'm exploring.

> If you really would like to dive into SOAP, I recommend to read the W3C
> recommendation for technical report at http://www.w3.org/2000/xp/Group/.
> It's really understandable and contains even examples of SOAP messages ;)

gr8. thx.

for those interested, i've also found this to be a useful launching point:

	http://www.soaprpc.com/faq.html

> At least there are two talks (by me) ...
[snip]
> Both projects are in constant development. The sources and slides are
> included in both zips. There's no license, use it free.

thank you for making these available.  helpful!

> XACML seemed to me like an XML infrastructure counterpart to phpgacl so
> it seemed natural to wrap phpgacl up with a network layer implementing
> XACML on top of that. SOAP seemed to be the more "natural" way of
> dealing with that, so there ist that second approach.

interesting ...

> Hope that helps a bit. In case of any question etc. feel free to contact
> me ;)

as i'm reading your presentations, the choice/use of XACML seems useful/clear.

do not yet know whether it's (a) overkill, or greater ease & flexibility, for my uses, (b) even
possible/recommended to approach my 'issue' this way.

thanks much for the comments!

cheers,

richard

- --

/"\
\ /  ASCII Ribbon Campaign
 X   against HTML email, vCards
/ \  & micro$oft attachments

[GPG] OpenMacNews at gmail dot com
fingerprint: 50C9 1C46 2F8F DE42 2EDB  D460 95F7 DDBD 3671 08C6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)

iEYEAREDAAYFAkO8CRUACgkQlffdvTZxCMYX1QCeMt78AJTO37y8LZYu3Hqw0+WB
jTwAoKZWPKLelrWdF7VqrKLoSIlJ2KzW
=H5tK
-----END PGP SIGNATURE-----