Same as web pages, web services also sometime require client authentication. The most frequent way of authentication is the use of WS-Security Username token which authenticate clients based on the username and passwords. There can be situations where clients need to be authenticated based on its IP or its domain.
If you are writing web services from PHP (Using some PHP web service framework like WSF/PHP), You can use the PHP variables, $_SERVER[“REMOTE_ADDR”] and $_SERVER[“REMOTE_HOST”] to find the clients ip within the service logic code. If the client’s IP is static you can directly use the $_SERVER[“REMOTE_ADDR”] and if it is dynamic you can use the $_SERVER[“REMOTE_HOST”] which will be derived by reverse DNS look of the clients IP.
Here is one example of the use of these $_SERVER[] variables inside service logic.
 function members_only_func($in_message) { // getting the clients IP. $remote_addr = $_SERVER["REMOTE_ADDR"]; if($remote_addr == "67.205.26.154" || $remote_addr == "124.43.59.95") { // generates the message for authenticated clients. return $valid_out_message; } // otherwise throw an exception throw new WSFault("Sender", "Failed to Authenticate"); } $operations = array("membersOnlyOp" => "members_only_func"); $service = new WSService(array("operations" => $operations)); $service->reply();
This comment is not directly related what you are pointing out in this entry. However, it may serve as a precautionary measure. In the absent of filtering at routers/firewalls, this method is vulnerable to IP spoofing attacks. Therefore, in such situations IP based authentication should not be used as a replacement to other authentication methods, such as WS-Sec username-token, but rather as a complement if the operation being protected is very sensitive.
Hi Nabeel,
Thanks for the note.
I think I got what you are pointing out. Server possibly determine the source IP from the header of the IP packet, which can be easily regenerated with a fake source IP by some attacker.
Here I was answering to the problem asked in the forum http://wso2.org/forum/thread/4609, http://wso2.org/forum/thread/4659. I will mention your note in there too.
Thanks
Dimuthu
hi Dimuthu You have done good job for Ip based authentication.
But here I have done using username password based authentication.
You can check it from this link.
http://my-source-codes.blogspot.com/2010/02/php-nusoap-web-services-and.html
Thanks.
Hi Dimuthu,
Thanks for writing the article.
Dimuthu, as Nabeel says that IP based authentication can be spoofed what happen if we restrict the access of our webservice by apache access control also. Is this add some more security?
Please suggest, i am waiting your reply.
Thanks.
Hi,
Sure. If apache access control is used, you can avoid IP spoofing attacks. If you are using WSF/PHP you can use username token, that would do authentication in application level with more control. See here, http://www.dimuthu.org/blog/2008/09/23/authenticate-using-username-token-from-php-2-minutes-introduction/
Thank you, Dimuthu,
I am using PEAR::SOAP in our application that’s why can’t use your “authentication by username token”. if you have any other idea to secure PEAR::SOAP web-service then please update me. it will help me lot.
Thank you