WSSE Authentication Middleware

0.1.0 2017-03-27 17:53 UTC

This package is auto-updated.

Last update: 2020-10-05 10:04:10 UTC


WSSE Middleware is a PHP library that protects your application using the WSSE Username Token.

Build Status


composer require renanbr/wsse-middleware


You need to give usernames and passwords as an array or an instance of PasswordRepositoryInterface.

$wsseMiddleware = new RenanBr\WsseMiddleware([
    'john' => 'super$ecret',
    'bob' => 'str0ngPassword',



See how to do the last step in some nice frameworks:


Password repository

Users' passwords came from somewhere, usually from a database. Fortunately the WsseMiddleware's constructor is able to work with PasswordRepositoryInterface.

interface RenanBr\WsseMiddleware\PasswordRepositoryInterface
    /** @throws RenanBr\WsseMiddleware\PasswordNotFoundException */
    public function getPasswordByUsername(string $username): string;

Note: You MUST to throw an instance of PasswordNotFoundException if user doesn't exist, is expired, inactive...

Here, an example using PDO:

class PdoPasswordRepository
    implements RenanBr\WsseMiddleware\PasswordRepositoryInterface
    private $pdo;

    public function __construct(PDO $pdo)
        $this->pdo = $pdo;

    public getPasswordByUsername(string $username): string
        $stmt = $this->pdo->query('SELECT password FROM user WHERE username = ?');
        $password = $stmt->fetchColumn();
        if (false === $password) {
            throw new RenanBr\WsseMiddleware\PasswordNotFoundException();

        return $password;

Nonce caching

You can avoid nonce reuse passing an instance of Psr\SimpleCache\CacheInterface to the middleware.


Note: This library rejects any request not using nonce by default.

Timestamp limitation

This library rejects any UsernameToken that contains stale creation timestamp, the default value is five minutes.

You can change this configuration:

$wsseMiddleware->setTimestampLimitation(60); // 1 minute

Note: This library rejects any request not using creation timestamp by default.