WSSE Security PHP SoapServer- Header not understood

I have a client call with a WSSE Security Header:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken wsu:Id="UsernameToken-7BCCD9337425FBA038149772606059420"><wsse:Username>USERNAME</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password><wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">NONCE</wsse:Nonce><wsu:Created>2017-06-17T19:01:00.594Z</wsu:Created></wsse:UsernameToken></wsse:Security></soapenv:Header>
   <soapenv:Body>
      <ns:FUNCTION/>
   </soapenv:Body>
</soapenv:Envelope>

As SoapServer I have a simple one:

// the SOAP Server options
$options=array(
    'trace' => true
    , 'cache_wsdl' => 0
    , 'soap_version' => SOAP_1_1
    , 'encoding' => 'UTF-8'
);

$wsdl = 'http://localhost/index.php?wsdl';

$server = new \SoapServer($wsdl, $options);
$server->setClass('ServerClass');
$server->handle();
$response = ob_get_clean();
echo $response;

As soon the property MustUnderstand = 1, then I become from the server the exception: Header not understood.

  1. How to understand the header?
  2. How to make the WSSE validation on the SoapServer side?

1 answer

  • answered 2017-06-17 19:23 Niko Nik

    The solution is very tricky! I don't know why is this handled by this way from the SoapServer, but here is the solution:

    class ServerClass {
    
        public function Security($data) {
            // ... do nothing
        }
    
        public function myFunction(){
            // here the body function implementation
        }
    }
    

    We need to define a function in our class, which is handling the soap request with the name of the header tag, which is holding the soap:mustUnderstand property. The function doesn't need to be implemented in some way.

    That's all!