SOAP services

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SOAP services

Joao Oliveira
Hello all,

I've been looking at vtiger SOAP (version 4.2.x and 5 alpha), and i've realized that there is an authentication mechanism for them, but it only returns true or false...

Once that you guys have been doing a great effort in order to improve security, but i think that all security is possible to bypass by accessing by SOAP Services. Am I wrong ?

for example...

method DeleteTasks($username,$crmid) in vtigerolservice.php

If i'm a stranger, i still can do something like DeleteTasks('admin', 1); without any kind of authentication ...

IMHO, it should be used any kind of token authentication and saved in $_SERVER[] variable, or authenticate an user with username/password each time one method is call.

Best Regards
João Oliveira.

_______________________________________________
This vtiger.com email is sponsored by Zoho Planner. Still scribbling down your To-Do's on bits of paper & palms of your hands? Try the AJAX enabled, personal organizer online, Zoho Planner for FREE instead! http://zohoplanner.com/?vt 
Reply | Threaded
Open this post in threaded view
|

Re: SOAP services

Mike Fedyk
How hard is it to do the authentication code?  If it can't be done
quickly then let's create a variable that turns soap off when (so
upgrades will disable soap even if the new variable is not in config.php).

Joao Oliveira wrote:

> Hello all,
>
> I've been looking at vtiger SOAP (version 4.2.x and 5 alpha), and i've
> realized that there is an authentication mechanism for them, but it
> only returns true or false...
>
> Once that you guys have been doing a great effort in order to improve
> security, but i think that all security is possible to bypass by
> accessing by SOAP Services. Am I wrong ?
>
> for example...
>
> method DeleteTasks($username,$crmid) in vtigerolservice.php
>
> If i'm a stranger, i still can do something like DeleteTasks('admin',
> 1); without any kind of authentication ...
>
> IMHO, it should be used any kind of token authentication and saved in
> $_SERVER[] variable, or authenticate an user with username/password
> each time one method is call.
>
> Best Regards
> João Oliveira.
> ------------------------------------------------------------------------
>
> _______________________________________________
> This vtiger.com email is sponsored by Zoho Planner. Still scribbling down your To-Do's on bits of paper & palms of your hands? Try the AJAX enabled, personal organizer online, Zoho Planner for FREE instead! http://zohoplanner.com/?vt 
_______________________________________________
This vtiger.com email is sponsored by Zoho Planner. Still scribbling down your To-Do's on bits of paper & palms of your hands? Try the AJAX enabled, personal organizer online, Zoho Planner for FREE instead! http://zohoplanner.com/?vt 
Reply | Threaded
Open this post in threaded view
|

Re: SOAP services

Joao Oliveira
Hello Mike.

Thanks for the ansewer.

I'm doing some search to evaluate how hard is to implement a session mechanism in SOAP services in PHP.

I'll post my results.

In mean time, if someone has suggestions, please do post them.

And about my sugestion regarding $_SERVER[], forget it. I thought that it was possible to define there some custom server global variables, but it isn't.

Best Regards
João Oliveira

On 3/22/06, Mike Fedyk <[hidden email]> wrote:
How hard is it to do the authentication code?  If it can't be done
quickly then let's create a variable that turns soap off when (so
upgrades will disable soap even if the new variable is not in config.php).

Joao Oliveira wrote:

> Hello all,
>
> I've been looking at vtiger SOAP (version 4.2.x and 5 alpha), and i've
> realized that there is an authentication mechanism for them, but it
> only returns true or false...
>
> Once that you guys have been doing a great effort in order to improve
> security, but i think that all security is possible to bypass by
> accessing by SOAP Services. Am I wrong ?
>
> for example...
>
> method DeleteTasks($username,$crmid) in vtigerolservice.php
>
> If i'm a stranger, i still can do something like DeleteTasks('admin',
> 1); without any kind of authentication ...
>
> IMHO, it should be used any kind of token authentication and saved in
> $_SERVER[] variable, or authenticate an user with username/password
> each time one method is call.
>
> Best Regards
> João Oliveira.
> ------------------------------------------------------------------------
>
> _______________________________________________
> This vtiger.com email is sponsored by Zoho Planner. Still scribbling down your To-Do's on bits of paper & palms of your hands? Try the AJAX enabled, personal organizer online, Zoho Planner for FREE instead! http://zohoplanner.com/?vt
_______________________________________________
This vtiger.com email is sponsored by Zoho Planner. Still scribbling down your To-Do's on bits of paper & palms of your hands? Try the AJAX enabled, personal organizer online, Zoho Planner for FREE instead! http://zohoplanner.com/?vt


_______________________________________________
This vtiger.com email is sponsored by Zoho Planner. Still scribbling down your To-Do's on bits of paper & palms of your hands? Try the AJAX enabled, personal organizer online, Zoho Planner for FREE instead! http://zohoplanner.com/?vt 
Reply | Threaded
Open this post in threaded view
|

Re: SOAP services

Lee Valentine
Hi,

To implement authentication into SOAP services, the servers can be placed in a director such as soap/ and place
htaccess authentication in the directory.  The soap client provides a function to authenticate:

  $client = new soapclient( 'http://server.com/crm/soap/server.php', ... );
  $client->setCredentials('username', 'password');

.htaccess:
AuthName "SOAP"
AuthType Basic
AuthUserFile /path/to/.htpasswd
Require valid-user

Another method to use would be to place the code below at the top of the soap server and place the
username/password in variables in the config.  This method has prerequisites:

"The $PHP_AUTH_USER, $PHP_AUTH_PW and $PHP_AUTH_TYPE global variables are only available when PHP is installed as a
module. If you're using the CGI version of PHP, you will be limited to Web server-based authentication or other custom
types of authentication (such as using HTML forms) to match passwords in a database."

config:
$soap_username = 'username';
$soap_password = 'password';

soap/server.php:
if ( ( !isset( $PHP_AUTH_USER )) || (!isset($PHP_AUTH_PW)) || ( $PHP_AUTH_USER != $soap_username ) || ( $PHP_AUTH_PW
!= $soap_password ) ) {

    header( 'WWW-Authenticate: Basic realm="SOAP"' );
    header( 'HTTP/1.0 401 Unauthorized' );
    echo 'Authorization Required.';
    exit;
}

I have implemented the first method and it works fine.

Thanks,
Lee

On Mar 22 12:06, Joao Oliveira wrote:

> Hello Mike.
>
> Thanks for the ansewer.
>
> I'm doing some search to evaluate how hard is to implement a session
> mechanism in SOAP services in PHP.
>
> I'll post my results.
>
> In mean time, if someone has suggestions, please do post them.
>
> And about my sugestion regarding $_SERVER[], forget it. I thought that it
> was possible to define there some custom server global variables, but it
> isn't.
>
> Best Regards
> João Oliveira
>
> On 3/22/06, Mike Fedyk <[hidden email]> wrote:
> >
> > How hard is it to do the authentication code?  If it can't be done
> > quickly then let's create a variable that turns soap off when (so
> > upgrades will disable soap even if the new variable is not in config.php).
> >
> > Joao Oliveira wrote:
> > > Hello all,
> > >
> > > I've been looking at vtiger SOAP (version 4.2.x and 5 alpha), and i've
> > > realized that there is an authentication mechanism for them, but it
> > > only returns true or false...
> > >
> > > Once that you guys have been doing a great effort in order to improve
> > > security, but i think that all security is possible to bypass by
> > > accessing by SOAP Services. Am I wrong ?
> > >
> > > for example...
> > >
> > > method DeleteTasks($username,$crmid) in vtigerolservice.php
> > >
> > > If i'm a stranger, i still can do something like DeleteTasks('admin',
> > > 1); without any kind of authentication ...
> > >
> > > IMHO, it should be used any kind of token authentication and saved in
> > > $_SERVER[] variable, or authenticate an user with username/password
> > > each time one method is call.
> > >
> > > Best Regards
> > > João Oliveira.
> > > ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > This vtiger.com email is sponsored by Zoho Planner. Still scribbling
> > down your To-Do's on bits of paper & palms of your hands? Try the AJAX
> > enabled, personal organizer online, Zoho Planner for FREE instead!
> > http://zohoplanner.com/?vt
> > _______________________________________________
> > This vtiger.com email is sponsored by Zoho Planner. Still scribbling down
> > your To-Do's on bits of paper & palms of your hands? Try the AJAX enabled,
> > personal organizer online, Zoho Planner for FREE instead!
> > http://zohoplanner.com/?vt
> >

> _______________________________________________
> This vtiger.com email is sponsored by Zoho Planner. Still scribbling down your To-Do's on bits of paper & palms of your hands? Try the AJAX enabled, personal organizer online, Zoho Planner for FREE instead! http://zohoplanner.com/?vt 
_______________________________________________
This vtiger.com email is sponsored by Zoho Planner. Still scribbling down your To-Do's on bits of paper & palms of your hands? Try the AJAX enabled, personal organizer online, Zoho Planner for FREE instead! http://zohoplanner.com/?vt 
Reply | Threaded
Open this post in threaded view
|

Re: SOAP services

Mike Fedyk
Lee Valentine wrote:

> Hi,
>
> To implement authentication into SOAP services, the servers can be placed in a director such as soap/ and place
> htaccess authentication in the directory.  The soap client provides a function to authenticate:
>
>   $client = new soapclient( 'http://server.com/crm/soap/server.php', ... );
>   $client->setCredentials('username', 'password');
>
> .htaccess:
> AuthName "SOAP"
> AuthType Basic
> AuthUserFile /path/to/.htpasswd
> Require valid-user
>
> Another method to use would be to place the code below at the top of the soap server and place the
> username/password in variables in the config.  This method has prerequisites:
>
> "The $PHP_AUTH_USER, $PHP_AUTH_PW and $PHP_AUTH_TYPE global variables are only available when PHP is installed as a
> module. If you're using the CGI version of PHP, you will be limited to Web server-based authentication or other custom
> types of authentication (such as using HTML forms) to match passwords in a database."
I really don't want vtiger to authenticate against the web server, or a
htpasswd file.  We should authenticate SOAP against the vtiger users
stored in the vtiger database, though this may be an interim solution.  
Can you ready a patch that takes care of the first option?  It's better
than what we have now..

Also I don't want to do anything that causes vtiger to depend on
mod_php.  I will have my test server running php over fastcgi via suexec
soon in my development environment as this seems to be the only sane way
to securely run a php web server.

Mike
_______________________________________________
This vtiger.com email is sponsored by Zoho Planner. Still scribbling down your To-Do's on bits of paper & palms of your hands? Try the AJAX enabled, personal organizer online, Zoho Planner for FREE instead! http://zohoplanner.com/?vt