Soap Ws And Param Filter


on a SOAP web service, when I set this filter (to check a API key) :

protected function preFilter($filterChain)


	if ('testApiKey'

			!== Yii::app()->request->getParam('apiKey')) // the 'getParam()' here messes it all

		return false;

	return true;


Here is my test script :


$client=new SoapClient('https://myapp.local/mycontroller/service?apiKey=testApiKey', array(

  'soap_version' => SOAP_1_2, // or try SOAP_1_1

  'cache_wsdl' =>  WSDL_CACHE_NONE, // WSDL_CACHE_BOTH in production

  'trace' => 1,




Without the filter, I get :


  0 => string 'String foo(String $bar)' (length=24)


  0 => string 'bar' (length=3)

which is correct.

With my filter ON, I get :


  0 => string 'String foo(String $bar)' (length=24)



Thanks for your kind and much appreciated help!

SOAP does not support attributes like this.

What you are doing is you add a GET attribute to the WSDL url, not the method call. So it’s not there when you test for it in preFilter.

You need to add this attribute to every method you want to call through SOAP or use headers in SOAP client. Headers aren’t supported in the WSDL generator shipped with Yii, I’ve built my own and it currently awaits as a pull request.


With this test script :

$client=new SoapClient('http://myapp.local/mycontroller/service/testApiKey', array(

  'soap_version' => SOAP_1_2, // or try SOAP_1_1

  'cache_wsdl' =>  WSDL_CACHE_NONE, // WSDL_CACHE_BOTH in production

  'trace' => 1,

  'exceptions' => true,




Wireshark shows me 3 HTTP sent requests :

107	2.134154	HTTP	70	GET /mycontroller/service/testApiKey HTTP/1.1 

126	2.154847	HTTP/XML	851	POST /mycontroller/service?ws=1 HTTP/1.1 

143	2.160741	HTTP	70	GET /mycontroller/service HTTP/1.1 

Tell me if I’m wrong :

  • the first one stands for the client instantiation and the WSDL Get

  • the second one is the call of the method

  • WTF is the last one ???

My idea was to check the API key only when Yii::app()-&gt;request-&gt;getParam('ws') is null (c.f., but this last third request screws it all up (it has neither ‘ws’, nor ‘apiKey’ params)!

Please help!


I don’t know what’s calling that, maybe inspecting the HTTP headers would help.

If you want to do some filtering only for SOAP method calls use the beforeWebMethod and afterWebMethod methods. They are used when you controller implements the IWebServiceProvider interface.