John,
I knew
I shouldn't have used that example. :-) As I mentioned, the example could
be for a read operation as well, where the implementation provides fine-grained
access control on the get_* operations as well as for publishing. So
let's change the example to one where the user tried a
get_bindingDetail call and the server determined the user wasn't allowed to read
the data.
Thanks,
Dave
______________________________________
Dave Schneider ---
dschneider@e2open.com
Dave,
In the save_binding scenario you describe I would
expect a registry to return E_userMismatch.
John Colgrave
IBM
----- Original Message -----
Sent: Tuesday, February 04, 2003 2:35
PM
Subject: RE: [uddi-dev] Error code for
authz failures?
Andrew,
Maybe I'm just not clear on what an "invalid" token would be. The
scenario I describe is one where the user has obtained a perfectly valid
authInfo token that is not yet expired. It's just that due to the
authorization policies in place, the user is not allowed to
read/publish/modify the data in question.
While this could apply equally well to a get_* operation, an
example might be that someone attempts to use save_binding to modify
an existing BindingTemplate. But since the user either isn't the owner
of the object, or isn't in an access group that has been granted modify
access, the server determines the user isn't allowed to modify that
BindingTemplate. In this case, are you saying the appropriate response
is E_authTokenRequired despite the fact that the caller provided an unexpired
and valid token?
Thanks,
Dave
______________________________________
Dave Schneider ---
dschneider@e2open.com
Dave,
For registries using
the UDDI security API set, the following should be appropriate:
E_authTokenRequired: (10120) Signifies
that an authentication token is missing or is invalid for an API call that
requires authentication.
As other
mechanisms are outside the scope of the UDDI specification, authorization
errors relating to those mechanisms should be covered outside the UDDI
specification.
If there is a need
to provide a more granular error within the UDDI specification, please provide
more information or the use case for further detailing authorization
errors.
Andrew Hately IBM Austin UDDI Development, Emerging
Technologies
Dave Schneider
<dschneider@e2open.com>
02/03/2003 06:18 PM
|
To
| "'uddi-dev@lists.oasis-open.org'"
<uddi-dev@lists.oasis-open.org>
|
cc
|
|
Subject
| [uddi-dev] Error code
for authz failures? |
|
Given that every API in v3 takes an optional authInfo parameter, I
was surprised I didn't find an error code such as E_accessDenied
or E_authzFailed in Chapter 12 of the v3 spec. The only thing seemed
close was E_requestDenied, but the description implies its use is only for
requesting subscription renewals. Any idea what the appropriate error
code should be when the server decides the caller isn't authorized to do
what's
being requested?
Thanks, Dave
______________________________________ Dave
Schneider ---
dschneider@e2open.com
|