What happens if an error occurs while running the client? Like other languages, such as Java, PHP 5 adds a new exception mechanism. Ext/soap uses this new mechanism to return an error in the form of a SoapFault object. For example, you can wrap the code in the following form:
try {
... some SOAP operation
catch (SoapFault $soapFault) {
Echo $soapFault;
}
Note that unlike Java, the Try-catch block of a PHP language cannot contain a finally clause.
SoapFault can be generated locally. For example, suppose you lose the startdate parameter of the getforecast. The client's output becomes:
SoapFault exception: [Soap-env:client]
Soap-error:encoding:object hasn ' t ' startdate ' property in weatherclientejb.php:32
Stack Trace: #0 weatherclientejb.php: Soapclient->getforecast (' Getforecast ', Array)
#1 weatherclientejb.php: Displayforecast (Array)
#2 {main}
Note that there is no trace output, because the request was not sent. Soap_env:client is one of the values defined in the SOAP specification for the faulty BODY element faultcode field.
This soapfault was generated when an error was found inside the ext/soap, and it did not send a SOAP message. However, Soapfaults can also report errors found on the server. For example, suppose you modify the code to set the value of the StartDate parameter to "baddatestring". This is an illegal ISO 8601 string, but Ext/soap does not check the provided format, only sends the message to the server, and the server rejects the request:
SoapFault exception: [Server.generalexception] Java.lang.NumberFormatException:
WSWS3046E:Error:Invalid date/time:baddatestring in weatherclientejb.php:32
Stack Trace: #0 weatherclientejb.php: Soapclient->getforecast (' Getforecast ', Array)
#1 weatherclientejb.php: Displayforecast (Array)
#2 {main}
This time, the SOAP request was passed to the server, but was rejected because the date format was invalid. The WEATHERFORECASTEJB implementation throws a java.lang.NumberFormatException that is returned as a faulty BODY element in a SOAP reply and then reported to the client as a SoapFault exception.
Securing Web Services
We examined three security methods and how to use them in PHP:
Basic HTTP Authentication
If the HTTP server requires the client to authenticate, the user is requested to enter an ID and password and an authentication Required HTTP header file is added to the answer. The client must respond to a request that contains an acceptable Authorization HTTP header file before the subsequent operation.
HTTP authentication is typically requested by the Web server, not by the Web service provider. Authentication Required HTTP header files are passed to the browser, the browser pop-up dialog box requests the user ID and password, and then sends the user's reply as an HTTP Authorization header file to the WEB server. This is easy to implement in PHP scripts, and you can use the header () function to send the required HTTP header file fields. For example:
if (!isset ($_server[' Php_auth_user ')) {
Header (' Www-authenticate:basic realm= "Weather");
Header ("http/1.0 401 Unauthorized");
}
echo "Welcome". $_server[' Php_auth_user '];
This process is described in detail in the PHP manual using the HTTP authentication chapter in PHP.
You may encounter some WEB services where the provider of these services requires the PHP WEB service client to authenticate using HTTP. EXT/SOAP provides a simple way to send an HTTP Authorization request header file, using an array of options passed to the SoapClient constructor:
$soapClient = new SoapClient ("http://localhost:9080/").
"ITSOWEBSERVICE2ROUTERWEB/WSDL/ITSO/SESSION/WEATHERFORECASTEJB.WSDL",
Array (' Login ' => "userid",
' Password ' => "password"));
However, it is considered that HTTP Basic authentication is not a secure method of user authentication (unless a combination of other external security systems, such as SSL) is used, because the user name and password are passed on the network in clear text form. HTTP Digest Authentication improves this approach with an encrypted password, but not all browsers support this improvement. Also, the header () function of PHP only supports Basic authentication.
SSL (Secure Sockets Layer)
A more secure protocol is HTTPS (HTTP over SSL), which uses SSL to encrypt HTTP messages. SSL works on the transport layer and does not understand the HTTP or SOAP protocol. Therefore, it cannot encrypt only the sensitive components in the message, but must encrypt the entire message. HTTPS can be used between a browser and a Web server, or between a Web server and a Web service provider.
If OpenSSL is compiled and enabled, PHP can also support HTTPS. How to use SSL in a PHP script, see the OpenSSL chapter in the PHP manual.
What about authentication? SSL can send a security certificate, and the other party can accept or reject the security certificate. This is useful if the client is required to validate a WEB service provider, such as an E-commerce application. However, if the Web service itself provides access to sensitive information, then the Web service provider needs to authenticate each customer. Certificate-based authentication is not appropriate because the customer may be numerous and dynamic, and it is not realistic to distribute the appropriate certificate for each customer beforehand.
Ws-security
The Ws-security standard provides a different approach to WEB service security. The security controls we are investigating now are outside the SOAP protocol. But ws-security is security-controlled by adding a security header file to the SOAP message. For example, for Ws-security Basic authentication (unlike HTTP Basic authentication), the following label appears in the SOAP header file:
<wsse:UsernameToken>
<wsse:Username> userid </wsse:Username>
<wsse:Password> Password </wsse:Password>
</wsse:UsernameToken>
This is just a simple example, but a complete set of security extensions is perfect, including not only authentication, but also integrity, confidentiality, and so on.
At present, there is no good support for ws-security in Ext/soap. Therefore, if you want to send and receive ws-security headers in PHP, you must drill down to a more low-level interface to explicitly create a SOAP header file. So far, the Ext/soap WSDL pattern is used in the example. However, there is also a non-WSDL pattern that can be used to control the entire SOAP message. Of course, you have to do a lot of work in your code. You can use the SoapHeader, Soapparam, and Soapvar classes to create messages, and then send SOAP requests and receive responses with Soapclient::__call. If you don't have any built-in support, writing a WEB service security extension in PHP (or other advanced specifications like Ws-transactions) will be a daunting task, and we don't intend to try this in this article.
Conclusion
Using a PHP SOAP extension is not difficult. No matter how the server is implemented, it takes just a few lines of code to develop a PHP script to access a simple Web service. As always, PHP has done a great job with ease of use. This article mainly discusses how to use the SoapClient class to access existing Web services on heterogeneous networks, but it is also straightforward to deploy Web services using the SoapServer class with Ext/soap.
If you are dealing with more complex interactions, the current version of EXT/SOAP does not provide us with much help. Mappings from XML schemas to PHP are sometimes not clear enough to be validated by experimentation or by studying the source code. If you want to use a more advanced Web service protocol, the only option is to delve into the non-WSDL schema and create the SOAP header file with your own script, but this is tedious and error prone.
One important proposition of WEB services is interoperability of different platforms, operating systems, and programming languages. Independent WS-I (WEB Services Interoperability) organization provides a test package to verify the adaptability to its Basic profile, and we want to see ext/soap reach a certain level, showing that it can adapt 。 We also hope that ext/soap continue to develop and become the mainstream of PHP expansion.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
