uddi-dev message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: RE: [uddi-dev] Error code for authz failures?
- From: Dave Schneider <dschneider@e2open.com>
- To: 'Andrew Hately' <hately@us.ibm.com>
- Date: Tue, 04 Feb 2003 06:35:36 -0800
Andrew,
Maybe
I'm just not clear on what an "invalid" token would be. The scenario I
describe is one where the user has obtained a perfectly valid authInfo token
that is not yet expired. It's just that due to the authorization policies
in place, the user is not allowed to read/publish/modify the data in
question.
While
this could apply equally well to a get_* operation, an example might be
that someone attempts to use save_binding to modify an existing
BindingTemplate. But since the user either isn't the owner of the object,
or isn't in an access group that has been granted modify access, the server
determines the user isn't allowed to modify that BindingTemplate. In this
case, are you saying the appropriate response is E_authTokenRequired despite the
fact that the caller provided an unexpired and valid token?
Thanks,
Dave
______________________________________
Dave Schneider ---
dschneider@e2open.com
Dave,
For registries using
the UDDI security API set, the following should be appropriate:
E_authTokenRequired: (10120) Signifies
that an authentication token is missing or is invalid for an API call that
requires authentication.
As other
mechanisms are outside the scope of the UDDI specification, authorization errors
relating to those mechanisms should be covered outside the UDDI
specification.
If there is a need to
provide a more granular error within the UDDI specification, please provide more
information or the use case for further detailing authorization
errors.
Andrew Hately
IBM Austin
UDDI Development, Emerging
Technologies
Dave Schneider
<dschneider@e2open.com>
02/03/2003 06:18 PM
|
To
| "'uddi-dev@lists.oasis-open.org'"
<uddi-dev@lists.oasis-open.org>
|
cc
|
|
Subject
| [uddi-dev] Error code
for authz failures? |
|
Given that every API in v3 takes an optional authInfo parameter, I
was
surprised I didn't find an error code such as E_accessDenied
or
E_authzFailed in Chapter 12 of the v3 spec. The only thing seemed
close was
E_requestDenied, but the description implies its use is only for
requesting
subscription renewals. Any idea what the appropriate error
code should be
when the server decides the caller isn't authorized to do
what's
being
requested?
Thanks,
Dave
______________________________________
Dave
Schneider ---
dschneider@e2open.com
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC