Home/ Questions/Q 8075285
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T14:56:25+00:00

I am stucked at one place while writing a web service using wso2/php. I

  • 0

I am stucked at one place while writing a web service using wso2/php.
I want to use secure mtom.
While using either encryption or signing, how do I come to know which client’s public certificate to use in security token???
Or should I try matching with all present client public certificates?

I need to know, who the current user is. As the service is customer specific.
Please help…its urgent 🙂

Regards
Charanjeet Kaur

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I know it’s a bit late, but i’ve come across your same question. Somehow this is is a confusing topic, (maybe because of lack of precise documentation).
    When configuring the service by code (instead of using a policy file), you are quite limited. Here is what i found:

    When a client only signs a message, he attachs his certificate as a security token (wsse:binarysecuritytoken) in the header. The server takes that certificate and uses it to check the signature. So, you need to specify:

    in the client: client certificate and private key.

    in the service: service certificate and private key (takes client certificate from header).

    When a client signs and encrypts a message, the client encrypts with the server certificate and also sends his certificate along so that the server can check the signature and encrypt back. Here, the service uses the certificate from the header to encrypt the response. So, you only need to specify:

    in the client: client certificate and private key, and server certificate.

    in the server: server certificate and private key (takes client certificate from header).

    When the client only encrypts a message, he doesn’t send his certificate in the request, so you have to specify the client certificate in the service.

    in the client: client certificate and private key, and server certificate.

    in the server: server certificate and private key and client certificate.

    So, in the first to cases you dont need to specify your client’s certificate, and you can take it from the request header and do some further processing if you need to authenticate the user (may be check it against some pre-shared certificates). In the last case, I couldn’t find a way around (may be using xml policies).

    To retrieve the certificate in php you will need to deal with namespaces (the hardwired) code would be something like this (inside your reply function):

    $xml = simplexml_load_string($inMessage->outputHeaders[3]->str,  NULL, NULL, "http://schemas.xmlsoap.org/soap/envelope/");
$ss= $xml->children("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd")
    ->BinarySecurityToken;

    warning!! outputHeaders[3] is not a secure way to get the security header!! It’s just to show a simple way to get the client certificate.

    • 0