OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

odata message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Updated: (ODATA-301) Guidance around data authorization model and secure authenticated access to an OData Service

     [ http://tools.oasis-open.org/issues/browse/ODATA-301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ralf Handl updated ODATA-301:
-----------------------------

    Proposal: 
Services requiring authentication SHOULD support basic authentication over HTTPS and MAY support other authentication methods. Interoperable services MUST support basic authentication

Services SHOULD NOT change their data model depending on the authenticated user. If the data model is user (group) dependent, all changes MUST be safe changes as defined in 5.2 Endpoint Versioning when comparing the actual model to the model visible to users with minimal authorizations.

  was:
Services requiring authentication MUST support basic authentication over HTTPS and MAY support other authentication methods.

Services SHOULD NOT change their data model depending on the authenticated user. If the data model is user (group) dependent, all changes MUST be safe changes as defined in 5.2 Endpoint Versioning when comparing the actual model to the model visible to users with minimal authorizations.


I agree and changed the proposal

> Guidance around data authorization model and secure authenticated access to an OData Service
> --------------------------------------------------------------------------------------------
>
>                 Key: ODATA-301
>                 URL: http://tools.oasis-open.org/issues/browse/ODATA-301
>             Project: OASIS Open Data Protocol (OData) TC
>          Issue Type: Improvement
>          Components: OData Protocol 
>    Affects Versions: V4.0_WD01
>         Environment: [Proposed]
>            Reporter: Ralf Handl
>             Fix For: V4.0_WD01
>
>
> For interoperability it is highly desirable to define common minimum set of authentication methods, e.g. if a service requires authentication, it MUST accept basic authentication over HTTPS in addition to whatever else it chooses.
> For data authorization we give guidance whether the data model may depend on the authenticated user, only the data content. It puts a higher burden on clients if properties or entity sets appear in or disappear from the model depending on the authenticated user, requiring to always first interpret $metadata, or if only the data content depends on it, i.e. entities show up or not, nullable properties appear to be null or contain confidential information.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]