----- Original Message -----
Sent: Tuesday, February 04, 2003 2:35
PM
Subject: RE: [uddi-dev] Error code for
authz failures?
Andrew,
Maybe I'm just not clear on what an "invalid" token would be. The
scenario I describe is one where the user has obtained a perfectly valid
authInfo token that is not yet expired. It's just that due to the
authorization policies in place, the user is not allowed to
read/publish/modify the data in question.
While this could apply equally well to a get_* operation, an
example might be that someone attempts to use save_binding to modify
an existing BindingTemplate. But since the user either isn't the owner
of the object, or isn't in an access group that has been granted modify
access, the server determines the user isn't allowed to modify that
BindingTemplate. In this case, are you saying the appropriate response
is E_authTokenRequired despite the fact that the caller provided an unexpired
and valid token?
Thanks,
Dave
______________________________________
Dave Schneider ---
dschneider@e2open.com
Dave,
For registries using
the UDDI security API set, the following should be appropriate:
E_authTokenRequired: (10120) Signifies
that an authentication token is missing or is invalid for an API call that
requires authentication.
As other
mechanisms are outside the scope of the UDDI specification, authorization
errors relating to those mechanisms should be covered outside the UDDI
specification.
If there is a need
to provide a more granular error within the UDDI specification, please provide
more information or the use case for further detailing authorization
errors.
Andrew Hately
IBM Austin
UDDI Development, Emerging
Technologies
Dave Schneider
<dschneider@e2open.com>
02/03/2003 06:18 PM
|
To
| "'uddi-dev@lists.oasis-open.org'"
<uddi-dev@lists.oasis-open.org>
|
cc
|
|
Subject
| [uddi-dev] Error code
for authz failures? |
|
Given that every API in v3 takes an optional authInfo parameter, I
was
surprised I didn't find an error code such as E_accessDenied
or
E_authzFailed in Chapter 12 of the v3 spec. The only thing seemed
close was
E_requestDenied, but the description implies its use is only for
requesting
subscription renewals. Any idea what the appropriate error
code should be
when the server decides the caller isn't authorized to do
what's
being
requested?
Thanks,
Dave
______________________________________
Dave
Schneider ---
dschneider@e2open.com