[Vtigercrm-developers] SOAP services

Wed Mar 22 15:03:56 PST 2006

Hi,

To implement authentication into SOAP services, the servers can be placed in a director such as soap/ and place
htaccess authentication in the directory.  The soap client provides a function to authenticate:

  $client = new soapclient( 'http://server.com/crm/soap/server.php', ... );
  $client->setCredentials('username', 'password');

.htaccess:
AuthName "SOAP"
AuthType Basic
AuthUserFile /path/to/.htpasswd
Require valid-user

Another method to use would be to place the code below at the top of the soap server and place the
username/password in variables in the config.  This method has prerequisites:

"The $PHP_AUTH_USER, $PHP_AUTH_PW and $PHP_AUTH_TYPE global variables are only available when PHP is installed as a
module. If you're using the CGI version of PHP, you will be limited to Web server-based authentication or other custom
types of authentication (such as using HTML forms) to match passwords in a database."

config:
$soap_username = 'username';
$soap_password = 'password';

soap/server.php:
if ( ( !isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW)) || ( $PHP_AUTH_USER != $soap_username ) || ( $PHP_AUTH_PW 
!= $soap_password ) ) {

    header( 'WWW-Authenticate: Basic realm="SOAP"' );
    header( 'HTTP/1.0 401 Unauthorized' );
    echo 'Authorization Required.';
    exit;
}

I have implemented the first method and it works fine.

Thanks,
Lee

On Mar 22 12:06, Joao Oliveira wrote:
> Hello Mike.
> 
> Thanks for the ansewer.
> 
> I'm doing some search to evaluate how hard is to implement a session
> mechanism in SOAP services in PHP.
> 
> I'll post my results.
> 
> In mean time, if someone has suggestions, please do post them.
> 
> And about my sugestion regarding $_SERVER[], forget it. I thought that it
> was possible to define there some custom server global variables, but it
> isn't.
> 
> Best Regards
> João Oliveira
> 
> On 3/22/06, Mike Fedyk <mfedyk at mikefedyk.com> wrote:
> >
> > How hard is it to do the authentication code?  If it can't be done
> > quickly then let's create a variable that turns soap off when (so
> > upgrades will disable soap even if the new variable is not in config.php).
> >
> > Joao Oliveira wrote:
> > > Hello all,
> > >
> > > I've been looking at vtiger SOAP (version 4.2.x and 5 alpha), and i've
> > > realized that there is an authentication mechanism for them, but it
> > > only returns true or false...
> > >
> > > Once that you guys have been doing a great effort in order to improve
> > > security, but i think that all security is possible to bypass by
> > > accessing by SOAP Services. Am I wrong ?
> > >
> > > for example...
> > >
> > > method DeleteTasks($username,$crmid) in vtigerolservice.php
> > >
> > > If i'm a stranger, i still can do something like DeleteTasks('admin',
> > > 1); without any kind of authentication ...
> > >
> > > IMHO, it should be used any kind of token authentication and saved in
> > > $_SERVER[] variable, or authenticate an user with username/password
> > > each time one method is call.
> > >
> > > Best Regards
> > > João Oliveira.
> > > ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > This vtiger.com email is sponsored by Zoho Planner. Still scribbling
> > down your To-Do's on bits of paper & palms of your hands? Try the AJAX
> > enabled, personal organizer online, Zoho Planner for FREE instead!
> > http://zohoplanner.com/?vt
> > _______________________________________________
> > This vtiger.com email is sponsored by Zoho Planner. Still scribbling down
> > your To-Do's on bits of paper & palms of your hands? Try the AJAX enabled,
> > personal organizer online, Zoho Planner for FREE instead!
> > http://zohoplanner.com/?vt
> >

> _______________________________________________
> This vtiger.com email is sponsored by Zoho Planner. Still scribbling down your To-Do's on bits of paper & palms of your hands? Try the AJAX enabled, personal organizer online, Zoho Planner for FREE instead! http://zohoplanner.com/?vt 