OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

odata message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [odata] [OASIS Issue Tracker] Commented: (ODATA-301) Guidance around data authorization model and secure authenticated access to an OData Service

If the revision of OData Protocol Workproduct will be uploaded to Kavi some hours before the meeting, we could all see the application and than probably I for one might be tempted to:

**move** to close ODATA-34, ODATA-48, ODATA-144, ODATA-192, ODATA-223, ODATA-224, ODATA-239, ODATA-240, ODATA-286, ODATA-298, ODATA-301, ODATA-323, ODATA-326, ODATA-330, ODATA-331, ODATA-332, ODATA-334, ODATA-335, ODATA-336, ODATA-337, ODATA-339, ODATA-340, ODATA-341, ODATA-342, ODATA-343, ODATA-345, ODATA-347, ODATA-350, ODATA-352, ODATA-353, ODATA-354, ODATA-355, ODATA-356, ODATA-357, ODATA-358, ODATA-359, ODATA-360, ODATA-361, and ODATA-363 as applied.

after the editors will have pointed out all "[...] issues where they had problems with applying"


All the best,

Am 01.05.13 09:39, schrieb OASIS Issues Tracker:

     [ http://tools.oasis-open.org/issues/browse/ODATA-301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=33256#action_33256 ]

Hubert Heijkers commented on ODATA-301:

Since we accepted this issue we changed conformance level names. I trust you add the requirement for basic authentication to the now 'Acvanced' conformance level?
Also I'm not convinced that client MUST support this to be an interoperable client.

Guidance around data authorization model and secure authenticated access to an OData Service

                 Key: ODATA-301
                 URL: http://tools.oasis-open.org/issues/browse/ODATA-301
             Project: OASIS Open Data Protocol (OData) TC
          Issue Type: Improvement
          Components: OData Protocol
    Affects Versions: V4.0_CSD01
         Environment: [Applied]
            Reporter: Ralf Handl
            Assignee: Martin Zurmuehl
             Fix For: V4.0_CSD01

For interoperability it is highly desirable to define common minimum set of authentication methods, e.g. if a service requires authentication, it MUST accept basic authentication over HTTPS in addition to whatever else it chooses.
For data authorization we give guidance whether the data model may depend on the authenticated user, only the data content. It puts a higher burden on clients if properties or entity sets appear in or disappear from the model depending on the authenticated user, requiring to always first interpret $metadata, or if only the data content depends on it, i.e. entities show up or not, nullable properties appear to be null or contain confidential information.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]