Adding authentication functionality to soap server (Using Zend)?

Question

I have a soap server that is created like so:

class ServerController extends Zend_Controller_Action
{
    public function serverAction()
    {
       memcache_flush();
       Zend_Registry::get('cache')->clean(Zend_Cache::CLEANING_MODE_ALL);

       $server = new SoapServer("http://####/services/soap-server/wsdl");
       $server->setClass('SOAP_Server_Map');
       $server->handle();
    }
}

I want to add authentication to it so that whenever anyone makes a call to a function in "SOAP_Server_Map", it checks that the credentials supplied in the SoapClient options array('login' and 'password') are valid.

Does anyone have any suggestions/help?

Answer 1

I have exactly the same problem and I have the following thoughts:

I do not know if SOAP is/should be state-full or stateless, can we open a session and if the user has supplied some form of credential keep her logged in for some period of time?

The other way I am thinking of solving this is through API-keys, say for example giving a key: ABCDKEY and having the url as:

http://####/services/soap-server/ABCDKEY

This introduces security risks (the magic link attack0, but I've seen it implemented in RSS personalized feeds etc. Any comments?