Adding soap security header with php

Question

I have been tasked with rewriting a .NET application which communicates using a WSE Proxy to PHP. There is one thing I'm grappling with. I see the code UsernameToken userNameToken1 = new UsernameToken(sToken_UserName, sToken_Password, PasswordOption.SendPlainText); Which, I assume, adds a security header to the SOAP envelope. I am not sure how to do this in PHP. I tried the following snippet which I found online somewhere

$token = new stdClass;
$token->Username = new SOAPVar($username, XSD_STRING, null, null, null, $ns);
$token->Password = new SOAPVar($password, XSD_STRING, null, null, null, $ns);

$wsec = new stdClass;
$wsec->UsernameToken = new SoapVar($token, SOAP_ENC_OBJECT, null, null, null, $ns);

$headers = new SOAPHeader($ns, 'Security', $wsec, true);
$client->__setSOAPHeaders($headers);

But I get the following exception back:

Uncaught SoapFault exception: [SOAP-ENV:Client] com.sun.xml.wss.XWSSecurityException: Receiver Requirement for nonce has not been met; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Receiver Requirement for nonce has not been met

What am I doing wrong here? Is there missing information that I need to know?

Answer 1

You are sending the password in plain-text (I assume over SSL?), but the web service also requires a nonce.

See this discussion as it seems to be dealing with the same problem: http://wso2.org/forum/thread/5304

Answer 2

I spent a lot of time trying various approaches to WS-Security with PHP.

Finally I stumbled across this research paper by IBM that outlines an outstanding solution. We're now using it for high-volume integration with our web service.