Hello all,

Currently I'm working on a large (PHP5/PostgreSQL) project for one of our customers, we've built his complete webbased administration suite which works very well for a few years now. At this moment some methods of the application will be exposed through a webservice. The webservice itself will be built using PHP5. I've decided to use the remote facade pattern which acts as a "thin and dumb layer", the facade just consists of methods which, on their turn, use the business logics inside the application, there is no business-logic in the facade.

The facade also works as blueprint for the WSDL, inside Zend Studio I easily can generate the needed WSDL for the webservice.

The webservice works well, but I'm looking for a neat way to secure the services. I've found out how to use SoapHeader to construct a clientside header which can be extracted at the server and be used for validation purposes, this is no problem and already works too...what I'm looking for is some way to define which user has access to what methods in the webservice.

This webservice will be more important in the future so we just want to be prepared and create a solid base. Here is an example to show a very abstract view of the situation:

Code PHP:
<?php
class BusinessUserModule
{
  public function __construct(){}
 
  /**
   * addUser
   *
   * @static 
   * @param User $objUser
   * @return boolean
   */
  public static function addUser( User $objUser )
  {
    return true;
  }
}
 
class BusinessFormModule
{
  public function __construct(){}
 
  /**
   * getForm
   *
   * @param integer $intFormID
   * @return BusinessForm
   */
  public static function getForm( $intFormID )
  {
    return 'Some exciting Form Object';
  }
}
 
 
 
class RemoteWebserviceFacade
{
  public function addUser( User $objUser )
  {
    return BusinessUserModule::addUser( $objUser );
  }
 
  public function getForm( $intFormID )
  {
    return BusinessFormModule::getForm( $intFormID );
  }
}
?>

The class RemoteWebserviceFacade is, yeah, the Facade . Example: some SOAP Users will be using "getForm", but are not allowed to use "addUser".

1) Should I consider to create multiple services/facades for all different responsibilities? Which automaticly will result in multiple WSDL's (?), I think this is not really a solution.

2) I've been thinking to use a magic __call method in the facade which will check if the authenticated user has access to the requested SOAP Method, drawback is the WSDL-generation, this won't work anymore.

3) Another option is to create a check in each called method in the webservice, which will add some logic to the facade.

How would you solve this "problem"? Maybe I'm looking in the wrong directions so I would love to hear from you
I've used the searchengine and found http://www.sitepoint.com/forums/showthread.php?t=487386 but I didn't really found an answer to my question.

Thanks for your time!