[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [dsml-comment] SAP Comments On Current DSML v2 Specification
Hi,
I have been following DSML v2 activities for some time. I have reviewed the
current DSML v2 specification with a group of architects and developers.
Please find the collected comments.
1. There is no explanation in the specification for "AbandonRequest".
Although reader can assume that it is the same as defined in LDAP v3 but
even then adding couple of lines does not hurt.
2. "authRequest" positional error response. If "authRequest" is not the
first one in the "batchRequest", what kind of error response does the server
return?
3. How does a "batchRequest" with an "authRequest" work with
"processing=parallel" value? There should be some recommendation in the
specification that talks about this. In this case, the recommendation might
be,
a. Parallel processing is not allowed with a "batchRequest" containing
an "authRequest", or
b. In case of parallel processing with a "batchRequest" containing an
"authRequest", the server MUST process the "authRequest" before processing
any other requests.
I would prefer to have the first statement as parallel processing with an
"authRequest" might become very complicated.
4. "authRequest" access rights error. On page 10 under section "5.1 Auth",
"If authRequest operations are supported, then if there are access rights
errors, processing proceeds as for a BatchRequest without an authRequest -
i.e., an appropriate errorResponse is generated, etc."
I am not sure what does it mean. Let's take an example; there are five DSML
requests in a "batchRequest" with the first one as "authRequest".
<batchRequest >
<authRequest>.........</authRequest>
<modifyRequest >....</modifyRequest>
<addRequest > ........</addRequest>
<delRequest>... ...... </delRequest>
<searchRequest>.......</searchRequest>
</batchRequest>
There is an access error on "addRequest". What kind of response is produced?
Will the response have?
a. Successful response for the first two operations and error response
for the rest of operations or
b. Successful for the first two, errorResponse for the "addRequest" and
successful response for the next two operations (assuming that the last two
operations do not require any access check)?
The statement is vague "....processing proceeds as for a batchRequest
without an authRequest-i.e. an appropriate errorResponse is generated, etc."
The statement is neither saying all the following requests are going to be
responded with "errorResponse" nor it says clearly that in case of requests,
which follow the access error request, if the access check is not required
those requests will be processed successfully. Some explicit explanation
would be helpful.
5. "authRequest" word creates confusion. It should be something like
"authzRequest" as this operation is to indicate the security principal for
the rest of operations in "batchRequest". "authRequest" gives an idea that
it has something to do with authentication.
6. "batchRequest" with an "authRequest" processing. On page 2 under the
differences between DSML v2 and LDAP, it is mentioned, "the document itself
is not used to authenticate the requestor." In other words, authentication
support is not in the scope of DSML v2. At the same time, in the
LDAPResultCode, there are two codes "inappropriateAuthentication" and
"invalideCredentials". If the DSML client is not sending the authentication
information, why should it get these LDAPResultCode values in response? If
the authentication is done at the transport level, authentication response
should also be at the same level.
7. Parallel Processing with responseOrder="unordered". On page 7, the
statement "If the client fails to specify a requestID for each request, the
server must return an errorResponse with type="malformedRequest"." This
statement is not clearly saying about the requests with requestID. This
should be changed to "If the client fails to specify a requestID for a
request, the server must return a corresponding errorResponse with
type="malformedRequest".
8. Confusion between Provider and DSML Server. On page 6 in the footnote,
there is a statement "Obviously neither this nor the previous condition can
happen ......" Why? Provider still needs to connect to DSML Server (which is
tightly integrated with directory server), which may fail.
9. Syntax Error Handling Location. The roles of provider and DSML Server are
not clearly defined for the syntax error handling. It seems like syntax
checking is done at both places, which is confusing. Read these two
statements, on page 8 under section "Resuming on error", "The provider does
not attempt any requests that follow the first syntax error in the
document", and on page 5 under "Syntax errors", "If the server detects the
syntax error before performing any directory operations on behalf of the
client".
Is syntax checking a MUST?
Is syntax checking at provider a MUST?
Is syntax checking at server a MUST?
Why do we need syntax checking at both places?
Is there any difference between provider's error response and server's error
response for the same syntax error?
Are provider and server checking for same type of syntax errors?
10. In the "Syntax errors" section on page 5, there is no statement on the
processing of syntax errors. Are they performed sequentially or in parallel?
Although there is a paragraph (the last paragraph) on page 8 under "Resuming
on error" section on the syntax error checking, which says that syntax
checking is done sequentially.
"Even when processing="parallel", the syntax checking of a request document
is performed sequentially. The provider does not attempt any requests that
follow the first syntax error in the document."
But if you read the two sentences together, it seems like this is only true
for the provider. What kind of syntax checking is done at the server,
sequentially or in parallel?
11. In my opinion, the section "Resuming on error" on page 7 is about the
processing of DSML requests and not about syntax error handling. The
confusion starts when you read the last paragraph in this section.
"Even when processing="parallel", the syntax checking of a request document
is performed sequentially. The provider does not attempt any requests that
follow the first syntax error in the document."
I do not understand why this paragraph is here. It gives an implicit signal
that "Resuming on error" section also talks about syntax errors.
In my opinion, syntax error handling is not affected by "onError" attribute.
My rationale is this. "onError" attribute is only meant for server side
processing and syntax checking is also done at the provider side. Then if
you look at the second paragraph in section "Resuming on error" on page 7,
"In a BatchRequest with onError="exit", the server stops executing request
elements as soon as one request element fails, and the response that is sent
implicitly includes a notAttempted response for all requests that do not
otherwise have a response."
And then you look at the example in section "Syntax errors" on page 5,
"DSMLv2 Request containing syntax error:
<batchRequest xmlns="urn:oasis:names:tc:DSML:2:0:core">
<modifyRequest>...</modifyRequest>
<addRequest>...</addRequest>
<bogusRequest>...</bogusRequest>
<addRequest>...</addRequest>
...
</batchRequest>
DSMLv2 Response Document - Syntax error in request:
<batchResponse xmlns="urn:oasis:names:tc:DSML:2:0:core">
<modifyResponse>...</modifyResponse>
<addResponse>...</addResponse>
<errorResponse type="malformedRequest">
<message>Unknown element 'bogusRequest' line 87 column 4</message>
</errorResponse>
</batchResponse>"
The "batchResponse" does not contain the notAttempted response for the last
"addRequest". It implicitly means that "onError" attribute does not affect
the syntax errors.
This section does not explicitly mention that syntax error handling is not
affected by the "onError" attribute. Am I missing something? In my opinion,
making this explicit and moving the last paragraph to the "Syntax errors"
section shall help readers to interpret the correct meaning.
12. Although I do not agree with the inclusion of the syntax checking
paragraph in the "Resuming on error" section on page 8, I see confusion
there.
"The provider does not attempt any requests that follow the first syntax
error in the document." So when the provider (which is doing the syntax
checking sequentially) finds the first syntax error, it does not process the
requests following the error request. Does it mean that it creates a
filtered document with all the requests till the error request (not
including the error request!) and send it to server? This is based on the
fact that provider always sends the complete DSML document to server
otherwise server cannot check the complete DSML document for syntax errors.
13. Page 8, two boxes on top: Where is the response for the last
"addRequest" and why is the response to the first "addRequest" is an
"errorResponse' with "notAttempted"? As the processing=parallel and
onExit=Resume, I would expect that server should process all the requests?
Regards,
Dipak Chopra
Technology Architecture Group, SAP
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC