保护PHP Web服务(SOAP)的安全
我有一个PHP web服务,它实际上帮助CMS对数据库进行一些更新。我一直试图在互联网上寻找解决方案,但还没有得到答案 有没有办法检查向Web服务发出请求的用户是否有权这样做,即检查用户会话? 这是我的虚拟服务(services.php)保护PHP Web服务(SOAP)的安全,php,ajax,web-services,soap,Php,Ajax,Web Services,Soap,我有一个PHP web服务,它实际上帮助CMS对数据库进行一些更新。我一直试图在互联网上寻找解决方案,但还没有得到答案 有没有办法检查向Web服务发出请求的用户是否有权这样做,即检查用户会话? 这是我的虚拟服务(services.php) 下面是使用服务[使用SOAP信封]的JavaScript(jQuery) function GetMyUName() { var req1 = ""; req1 += '<soap:Envelope xmlns:soap="http:
function GetMyUName() {
var req1 = "";
req1 += '<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">\n';
req1 += '<soap:Body xmlns:m="includes/services.php">\n';
req1 += "<m:GetMyUserName>\n";
req1 += "</m:GetMyUserName>\n";
req1 += "</soap:Body>\n";
req1 += "</soap:Envelope>";
$.ajax({
url: "includes/services.php",
type: "POST",
data: req1,
cache: false
}).done(function (data) {
$("#UsernameTb").html($(data).find("return").text());
});
}
login.phpdie()标题(“Location:account.php”)echosecurePage//Check if a user has access to a page
function securePage($uri){
// earlier code omitted for readability here...
elseif(!isUserLoggedIn())
{
header("Location: login.php");
return false;
}
// ...
}
$.ajax({
type: "POST",
url: "services.php",
data: {action: 'someSecuredAction', data: 'some data for the command'},
success: function(response, status, xhr){
var ct = xhr.getResponseHeader("content-type") || "";
if (ct.indexOf('html') > -1) {
// If data looks like HTML, this is some page from UserCake
// likely served by a redirect, just display it
var newDoc = document.open("text/html", "replace");
newDoc.write(response);
newDoc.close();
}
if (ct.indexOf('json') > -1) {
// If data looks like JSON we have a
// successful 'service' response from the server
}
}
});
只是一些人为的东西,让您知道如何从请求中访问数据)
你在用什么?另外,您是否打算让SOAP服务使用与UserCake页面在CMS中保护的帐户相同的帐户?最后,为什么是肥皂?我认为服务器对服务器的通信更有效。如果您在浏览器中使用Javascript,通过RESTful界面交换JSON数据可能不会那么痛苦。@quickshiftin,是的,SOAP服务打算使用相同的帐户,因为我使用UserCake作为我的网站CMS的登录模型,一旦用户登录,UserCake对象将始终用于检查进程的授权。你能分享一个使用REST的类似东西的参考吗?看看UserCake的代码,我认为你将面临REST或SOAP的一些同样的挑战。。。从本质上讲,它不是设计成API的。只需查看UserCake中的login.php
,它调用die()
使用标题(“Location:account.php”)
重定向客户端并回显HTML。我将在回答中提供更多细节。这非常有帮助,我将尝试实现您提到的内容。但我担心这将需要很多更改,因为我的项目几乎处于开发的最后阶段:(
$.ajax({
type: "POST",
url: "services.php",
data: {action: 'someSecuredAction', data: 'some data for the command'},
success: function(response, status, xhr){
var ct = xhr.getResponseHeader("content-type") || "";
if (ct.indexOf('html') > -1) {
// If data looks like HTML, this is some page from UserCake
// likely served by a redirect, just display it
var newDoc = document.open("text/html", "replace");
newDoc.write(response);
newDoc.close();
}
if (ct.indexOf('json') > -1) {
// If data looks like JSON we have a
// successful 'service' response from the server
}
}
});
// If this ends up redirecting,
// the client should just pass it on through
securePage($_SERVER['PHP_SELF']);
switch($_POST['action']) {
case 'someSecuredAction':
// Again, if this redirects the client should be able to cope...
$loggedInUser->checkPermission(['someSecuredAction']);
// Do secured stuff here
$aResponse = someSecureAction($_POST['data']);
break;
}
// Now be nice enough to return the response as JSON
// like we might expect from an actual service
header('Content-Type: application/json;');
echo json_encode($aResponse);