[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [dsml-comment] SAP Comments On Current DSML v2 Specification
Hi, I have been following DSML v2 activities for some time. I have reviewed the current DSML v2 specification with a group of architects and developers. Please find the collected comments. 1. There is no explanation in the specification for "AbandonRequest". Although reader can assume that it is the same as defined in LDAP v3 but even then adding couple of lines does not hurt. 2. "authRequest" positional error response. If "authRequest" is not the first one in the "batchRequest", what kind of error response does the server return? 3. How does a "batchRequest" with an "authRequest" work with "processing=parallel" value? There should be some recommendation in the specification that talks about this. In this case, the recommendation might be, a. Parallel processing is not allowed with a "batchRequest" containing an "authRequest", or b. In case of parallel processing with a "batchRequest" containing an "authRequest", the server MUST process the "authRequest" before processing any other requests. I would prefer to have the first statement as parallel processing with an "authRequest" might become very complicated. 4. "authRequest" access rights error. On page 10 under section "5.1 Auth", "If authRequest operations are supported, then if there are access rights errors, processing proceeds as for a BatchRequest without an authRequest - i.e., an appropriate errorResponse is generated, etc." I am not sure what does it mean. Let's take an example; there are five DSML requests in a "batchRequest" with the first one as "authRequest". <batchRequest > <authRequest>.........</authRequest> <modifyRequest >....</modifyRequest> <addRequest > ........</addRequest> <delRequest>... ...... </delRequest> <searchRequest>.......</searchRequest> </batchRequest> There is an access error on "addRequest". What kind of response is produced? Will the response have? a. Successful response for the first two operations and error response for the rest of operations or b. Successful for the first two, errorResponse for the "addRequest" and successful response for the next two operations (assuming that the last two operations do not require any access check)? The statement is vague "....processing proceeds as for a batchRequest without an authRequest-i.e. an appropriate errorResponse is generated, etc." The statement is neither saying all the following requests are going to be responded with "errorResponse" nor it says clearly that in case of requests, which follow the access error request, if the access check is not required those requests will be processed successfully. Some explicit explanation would be helpful. 5. "authRequest" word creates confusion. It should be something like "authzRequest" as this operation is to indicate the security principal for the rest of operations in "batchRequest". "authRequest" gives an idea that it has something to do with authentication. 6. "batchRequest" with an "authRequest" processing. On page 2 under the differences between DSML v2 and LDAP, it is mentioned, "the document itself is not used to authenticate the requestor." In other words, authentication support is not in the scope of DSML v2. At the same time, in the LDAPResultCode, there are two codes "inappropriateAuthentication" and "invalideCredentials". If the DSML client is not sending the authentication information, why should it get these LDAPResultCode values in response? If the authentication is done at the transport level, authentication response should also be at the same level. 7. Parallel Processing with responseOrder="unordered". On page 7, the statement "If the client fails to specify a requestID for each request, the server must return an errorResponse with type="malformedRequest"." This statement is not clearly saying about the requests with requestID. This should be changed to "If the client fails to specify a requestID for a request, the server must return a corresponding errorResponse with type="malformedRequest". 8. Confusion between Provider and DSML Server. On page 6 in the footnote, there is a statement "Obviously neither this nor the previous condition can happen ......" Why? Provider still needs to connect to DSML Server (which is tightly integrated with directory server), which may fail. 9. Syntax Error Handling Location. The roles of provider and DSML Server are not clearly defined for the syntax error handling. It seems like syntax checking is done at both places, which is confusing. Read these two statements, on page 8 under section "Resuming on error", "The provider does not attempt any requests that follow the first syntax error in the document", and on page 5 under "Syntax errors", "If the server detects the syntax error before performing any directory operations on behalf of the client". Is syntax checking a MUST? Is syntax checking at provider a MUST? Is syntax checking at server a MUST? Why do we need syntax checking at both places? Is there any difference between provider's error response and server's error response for the same syntax error? Are provider and server checking for same type of syntax errors? 10. In the "Syntax errors" section on page 5, there is no statement on the processing of syntax errors. Are they performed sequentially or in parallel? Although there is a paragraph (the last paragraph) on page 8 under "Resuming on error" section on the syntax error checking, which says that syntax checking is done sequentially. "Even when processing="parallel", the syntax checking of a request document is performed sequentially. The provider does not attempt any requests that follow the first syntax error in the document." But if you read the two sentences together, it seems like this is only true for the provider. What kind of syntax checking is done at the server, sequentially or in parallel? 11. In my opinion, the section "Resuming on error" on page 7 is about the processing of DSML requests and not about syntax error handling. The confusion starts when you read the last paragraph in this section. "Even when processing="parallel", the syntax checking of a request document is performed sequentially. The provider does not attempt any requests that follow the first syntax error in the document." I do not understand why this paragraph is here. It gives an implicit signal that "Resuming on error" section also talks about syntax errors. In my opinion, syntax error handling is not affected by "onError" attribute. My rationale is this. "onError" attribute is only meant for server side processing and syntax checking is also done at the provider side. Then if you look at the second paragraph in section "Resuming on error" on page 7, "In a BatchRequest with onError="exit", the server stops executing request elements as soon as one request element fails, and the response that is sent implicitly includes a notAttempted response for all requests that do not otherwise have a response." And then you look at the example in section "Syntax errors" on page 5, "DSMLv2 Request containing syntax error: <batchRequest xmlns="urn:oasis:names:tc:DSML:2:0:core"> <modifyRequest>...</modifyRequest> <addRequest>...</addRequest> <bogusRequest>...</bogusRequest> <addRequest>...</addRequest> ... </batchRequest> DSMLv2 Response Document - Syntax error in request: <batchResponse xmlns="urn:oasis:names:tc:DSML:2:0:core"> <modifyResponse>...</modifyResponse> <addResponse>...</addResponse> <errorResponse type="malformedRequest"> <message>Unknown element 'bogusRequest' line 87 column 4</message> </errorResponse> </batchResponse>" The "batchResponse" does not contain the notAttempted response for the last "addRequest". It implicitly means that "onError" attribute does not affect the syntax errors. This section does not explicitly mention that syntax error handling is not affected by the "onError" attribute. Am I missing something? In my opinion, making this explicit and moving the last paragraph to the "Syntax errors" section shall help readers to interpret the correct meaning. 12. Although I do not agree with the inclusion of the syntax checking paragraph in the "Resuming on error" section on page 8, I see confusion there. "The provider does not attempt any requests that follow the first syntax error in the document." So when the provider (which is doing the syntax checking sequentially) finds the first syntax error, it does not process the requests following the error request. Does it mean that it creates a filtered document with all the requests till the error request (not including the error request!) and send it to server? This is based on the fact that provider always sends the complete DSML document to server otherwise server cannot check the complete DSML document for syntax errors. 13. Page 8, two boxes on top: Where is the response for the last "addRequest" and why is the response to the first "addRequest" is an "errorResponse' with "notAttempted"? As the processing=parallel and onExit=Resume, I would expect that server should process all the requests? Regards, Dipak Chopra Technology Architecture Group, SAP
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC