[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wsrp-interop] guest/anonymous user access revisited
I managed to take a brief look at these materials and wonder if we ended
up at the following:
1. Passing null as the user context still exists and still means the
consumer doesn't know who the user is -- i.e. this is an
anonymous/guest user however representing it this way means the
consumer can't pass any user category information.
2. If a consumer supports "guest" categories they must use an
alternative way to represent the guest user. To do this they pass
a userContext of "wsrp:minimal"
3. Consumers can only map consumer categories that a guest is in to
wsrp:minimal. It can only do this if the producer actually says
it uses/cares about wsrp:minimal.
4. In an such a conducive environment the consumer needs a way to
communicate/distinguish between a guest that isn't mapped to
wsrp:minimal and a guest that is. I.e. the user of the consumer
might have decided that guest categories shouldn't be mapped to
anything in this producer [not "wsrp:minimal"] and hence wants to
communicate that its guests run with no user cateory [i.e. NOT
wsrp:minimal]
I.e. in the end we said wsrp:minimal is the only valid user category for
a guest user because such a beast is a special case and we had no way to
distinguish [allow a producer to declare] which user categories apply to
this special case vs the typical "all user case". However, once we said
there was a way to have a meaningful user category for a guest then we
needed a way to distinguish between a consumer that says its guest
should have that user category vs. the absence of that category.
If this makes sense/sounds right then I think what we have is still okay
and doesn't need changing -- we merely need to take our minutes and
expand it into real words describing motivations and explaning uses.
-Mike-
Richard Jacob wrote:
>
>
>here is the link to our original decision captured in the minutes:
>http://www.oasis-open.org/apps/org/workgroup/wsrp/wsrp-interop/download.php/2925/20030717%20WSRP%20Interoperability%20Minutes.doc
>
>This one has not found its way to the spec, and was planned to be part of
>the errata.
>Currently this is a Interop SC convention communicated to the TC.
>
>Please review the minutes, and my summary and let me know your opinions.
>
>Mit freundlichen Gruessen / best regards,
>
> Richard Jacob
>______________________________________________________
>IBM Lab Boeblingen, Germany
>Dept.8288, WebSphere Portal Server Development
>WSRP Standardization Technical Lead
>Phone: ++49 7031 16-3469 - Fax: ++49 7031 16-4888
>Email: mailto:richard.jacob@de.ibm.com
>
>
>
> Richard
> Jacob/Germany/IBM
> @IBMDE To
> wsrp-interop@lists.oasis-open.org
> 06/03/2004 01:06 cc
> PM
> Subject
> [wsrp-interop] guest/anonymous user
> access revisited
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>Hi all,
>
>we had the discussion about guest/anonymous user conventions some time ago.
>I volunteered to pick this up again and search for the rationales that led
>to our convention.
>First, here is a summary of why we felt we need to revisit this issue:
>
>1. Producers are not required to provide any categories in the
>ServiceDescription.userCategoryDescriptions
>2. Consumers are not allowed to specify any userCategory not defined in the
>Producer's ServiceDescription
>1+2=3. If the Producer does not define any user category being supported,
>the convention we've choosen prevents the Consumer to specify an anonymous
>user simply because it would contradict either 2. or the convention -> no
>way out for the Consumer.
>
>Personally, I don't remember why we argued that userCategory in the
>userContext has to be wsrp:minimal, too.
>I guess the argument here was that a guest user is considered a user with
>minimal category as defined in the spec and therefor it
>would not be convienient to assert a higher degree category to a guest
>user.
>But as said, what if the Producer does not define wsrp:minimal as
>supported?
>In the end the producer prevents guest user category assertions in this
>case -- which could be perfectly valid, this would be a kind of a
>negotiation then?
>
>If the contextKey is wsrp:minimal the Producer already knows that it's a
>guest user and can assert whatever category he likes for that user (if he
>supports any, otherwise the discussion is obsolet).
>If the Consumer for instance sends wsrp:full in conjunction with
>wsrp:minimal contextKey, the Producer should be free to ignore that and
>reset it to wsrp:minimal?
>
>I finally found the thread (we moved it to the wsrp mailing list to target
>a larger audience) in July 2003.
>I found no real rationale for having a must for both: userContextKey and
>userCategory=wsrp:minimal.
>The only indications I found were that we maybe wanted to express that
>guest users fit in exactly this one category (then why do we want to
>assert one?)
>
>However as I wrote in my summary, the producer can always interpret the
>userContextKey=wsrp:minimal as a guest and therefor ignore any
>categoryAssertions from the Consumer and choose wsrp:minimal (or any other
>he uses for such a group of users).
>The initial intent comming from Mike was to actually ASSERT a category to
>such a user class, therefore we defined our dummy userContextKey.
>From todays point of view we actually PREVENTED that any other category can
>be asserted to this user set!
>Mike, I wonder why you didn't stand up :-)
>
>Atul also raised the question, whether a userContext=null couldn't also
>mean this guest user?
>In that case we loose the initial intent to assert categories to guest
>users.
>
>So I see the following flaws currently and the following options:
>
>1. we need to get rid of the MUST of userCategory=wsrp:minimal in that
>case.Otherwise it doesn't make any sense to assert any category, the
>Producer could always make a default assertion to wsrp:minial or any other
>category if he sees userContextKey=wsrp:minimal
>2. user userContextKey=wsrp:minimal for guest user's and allow the consumer
>to assert any category for these users (which the producer declared as
>supported) -- it's another question if the producer follows this assertion.
>3. userContext=null as defined currently: no assumptions about the user, no
>(predefined) category assertions
>4. userContext=null equals anonymous user?: producer can treat the user as
>he would treat it in 2. but assert a default "guest" category of its choice
>(I think consumer would do something anyways and is already covered).
>
>My opinion is:
>we should do 1., 2. and 3..
>
>
>Mit freundlichen Gruessen / best regards,
>
> Richard Jacob
>______________________________________________________
>IBM Lab Boeblingen, Germany
>Dept.8288, WebSphere Portal Server Development
>WSRP Standardization Technical Lead
>Phone: ++49 7031 16-3469 - Fax: ++49 7031 16-4888
>Email: mailto:richard.jacob@de.ibm.com
>
>
>To unsubscribe from this mailing list (and be removed from the roster of
>the OASIS TC), go to
>http://www.oasis-open.org/apps/org/workgroup/wsrp-interop/members/leave_workgroup.php
>.
>
>
>
>
>To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wsrp-interop/members/leave_workgroup.php.
>
>
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]