php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31747 SOAP Digest Authentication
Submitted: 2005-01-28 19:46 UTC Modified: 2005-02-02 13:01 UTC
From: Jared dot Williams1 at ntlworld dot com Assigned: dmitry
Status: Closed Package: SOAP related
PHP Version: 5CVS-2005-01-28 (dev) OS: Windows 2000/IIS
Private report: No CVE-ID:
 [2005-01-28 19:46 UTC] Jared dot Williams1 at ntlworld dot com
Description:
------------
This is related to http://bugs.php.net/bug.php?id=28041

Using the php5.0-win32-200501280930 snapshot, still seem unable to use Digest Authentication against labs.zap2it.com.

Request Headers:
POST /tvlistings/xtvdService HTTP/1.1
Host: datadirect.webservices.zap2it.com
Connection: Keep-Alive
User-Agent: PHP SOAP 0.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "urn:TMSWebServices:xtvdWebService#download"
Content-Length: 584
Authorization: Basic *******************

Does appear to be sending Basic authentication details, even thou the service requests only digest. (Security issue).

WWW-Authenticate	Digest realm="TMSWebServiceRealm", nonce="********************************************************************************", opaque="****************", algorithm=MD5, qop="auth"

Reproduce code:
---------------
	$client = new SoapClient('xtvd.wsdl', array(
								'trace'      => 1,					'exceptions' => 0,					'login' => USER,				'password' => PASSWORD));

	$result = $client->download(time() - 60*3, time() + 60*60*12);
	echo "<pre>\n";
	echo "Response Headers:\n", htmlspecialchars($client->__getLastResponseHeaders()), "\n";
	echo "Response:\n", htmlspecialchars($client->__getLastResponse()),"\n";
	echo "</pre>";
?>

Expected result:
----------------
XML listings

Actual result:
--------------
Response Headers:
HTTP/1.1 100 Continue
Date: Fri, 28 Jan 2005 18:41:23 GMT
Server: Orion/2.0.2

Response:
<HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD><BODY><H1>401 Unauthorized</H1></BODY></HTML>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-02-02 11:39 UTC] dmitry@php.net
Fixed in CVS (HEAD and PHP_5_0).

Please verify me. I haven't login on labs.zap2it.com.

With new version you can use additional otpion 'authentication' => SOAP_AUTHENTICATION_DIGEST in SoapClient constructor.

This option is not necessary, however without it SOAP will first try to login using basic authentication and then using digest authentication.
 [2005-02-02 13:01 UTC] Jared dot Williams1 at ntlworld dot com
Using php5-win32-200502021130 snapshot.

Now works, with the authentication option present, or missing.

Response Headers:
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Wed, 02 Feb 2005 11:58:04 GMT
Content-Type: text/xml; charset=utf-8
Server: Orion/2.0.2

Response:
<?xml version='1.0' encoding='utf-8'?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' xmlns:xsd='http://www.w3.org/2001/XMLSchema' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xmlns:SOAP-ENC='http://schemas.xmlsoap.org/soap/encoding/'>

<SOAP-ENV:Body>
<ns1:downloadResponse
SOAP-ENV:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/'
xmlns:ns1='urn:TMSWebServices'>
<xtvdResponse xsi:type='ns1:xtvdResponse'>
<messages xsi:type='ns1:messages'>
...
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 09:02:29 2014 UTC