How to communicate between PHP and WCF securely

Question

My system is based on .net. Their system is based on PHP. We want to exchange information for lookups and to add data to the respective databases. This has to be done securely and the two systems will be the only players in this game.

I've been doing some research but things related to security always throws me off. I have to admit that I'm having some trouble fully understanding what everything is in the config file (web.config in the WCF web service site).

Where do I start in ensuring that they transmit the data securely? Assuming I figure out the binding stuff, would they be sending a username and password that I will have to extract from their message? The client would be connecting to a https address.

Answer 1

There are really a lot of ways to answer this...

I assume their PHP app will be communicating to your WCF server with SOAP?

So, WCF has 2 ways of securing things, at the Transport level or at the Message level. Basically if you turn on Transport level security, then it encrypts the entire connection. This means it would use HTTPS. This would in turn mean that the entire conversation is encrypted, just like if you were sending your credit card info to a web site in a web form. Its equally as secure. The alternative is Message level security. This means that instead of encrypting the entire connection, the communication will happen over plain unencrypted HTTP, but the actual message itself will be encrypted before being transmitted over the wire.

If your service is hosted in IIS, then the easiest thing to do is just use the BasicHttpBinding and turn on Transport security. Then in IIS, have it use an SSL certificate and HTTPS.

That would handle the message encryption. Past that, if you need to handle a 'login' as a username and password, WCF has a built in way to handle that. This might help: http://nirajrules.wordpress.com/2009/05/22/username-over-https-custombinding-with-wcf%E2%80%99s-channelfactory-interface/

Answer 2

PHP itself does not support message security. You need some additional framework to support it. I integrated WCF client with PHP exposing web service with message security provided by WSO2 web services framework . The WSO2 framework doesn't have so many features as WCF (at least PHP developers told that) it supports asymetric security (WS-Security) with server and client certificate (X.509 Certificate Token Profile) and with user name and password as supporting token (User name token profile with digested password). Certificates are used for message encryption and signing, user name is used for authentication. This integration was pretty complex task because WCF in contrast does not support User name token profile with digested password and we have to implement it by ourselves.

So if you can use HTTPS (transport security) with message credentials (User name token profile with plain password) definitely go that way. It is much less complex and much more straight forward.

Answer 3

You're really going to have to determine the limitations of PHP in terms of web service standards. Can it handle WS-Security, for instance?

You may be limited to basicHttpBinding over SSL, sending the username/password in a SOAP Header (assuming it handles SOAP headers).