jax-ws, authentication for php clients

Scenario: Server is glassfish with jax-ws web services and clients is php based

What type of a开发者_StackOverflow社区uthentication for web services is more computable with php based clients?

1. HTTP Basic Authentication
2. HTTPS Client Authentication
3. Mutual Authentication (is it supported ?)
4. Digest Authentication (is it supported ?)

Description:

Specifying an Authentication Mechanism

---

No. 1 over HTTPS is most compatible, easy to implement in PHP. Don't use #1 over clear HTTP.

Don't know what you mean by No. 2 and No. 3, they sound the same to me. That can be done with curl.

No. 4 is also supported in CURL.

---

Whatever solution you choose, use HTTPS to send sensitive informations. So:

1. Don't
2. This will work but... Who is going to deliver the certificates? How many clients will you have? Can you handle this? And, more complicated, can you maintain this (revoke certificate over time, etc, that's the most tricky part)?
3. See #2.
4. I'm not fan.

Maybe have a look at WS-Security UsernameToken (or a custom solution based on SOAP headers). I'm not a PHP expert but WS-Security seems to be supported (at least partially) by some PHP stacks. See:

• Building SOAP WS-Security UsernameToken in PHP
• Authenticate using Username Token from PHP – 2 Minutes Introduction (using WSF/PHP)
• Connecting to WS-Security protected Web Service with PHP

---

-1- no go, dangerous, sniffable

-2-4- sort of same level

you should consider using some modern (and complicated) standards like OAuth