[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wsrp-interop] guest/anonymous user access revisited
my comments to the points below: 1. agreed 2. agreed, we've choosen the userContextKey for that purpose 3. why only to wsrp:minimal? couldn't the producer also define a guest user catgegory "guest" and expose it in its service description. In that case the consumer could map his guest categories to the producer's guest category? Isn't it just a special case that we assume that a guest is such a special thing that it could only be assigned a "low" category like wsrp:minimal? (This also prereqs the producer to declare wsrp:minimal as supported). Can't the producer also do some kind of implicit internal) mapping if it sees a guest user, espacially when we talk about case 1. This is what we mandate in the spec. 4. OK, could be a use case. But what would be the userContext then? null or userContextKey=wsrp:minimal + userCategory=null. If I understood your intent in 2. correctly, then the latter option would be appropriate, or? I think in general we agree and there are only nuances in the interpretation. To express a guest user where the consumer doesn't care about assigning a category we're perfectly done with 1. If a consumer want to assign a category to an end user we need userContextKey=wsrp:minimal + category. I really don't see why we limit this to just wsrp:minimal. This prereqs the producer to a) support it and b) to have the same interpretation of it. But producers could also be free to have a special guest category (like you proposed it for consumers) and would like consumers to assert it in that case. Also it contradicts the first case. On the producer side we have to deal with two kinds of guest users then. If the consumer passes userContext = null then the producer should map it to some category if it supports one (that's what we mandate in the spec) - this category could be guest. If the consumer passes userContext != null + userContextKey=wsrp:minimal, etc. then the producer would be enforced to map this user to wsrp:minimal although it might want it to be guest. Therefor I wouldn't restrict the userCategory to just wsrp:minimal. If this is the only allowed assertion then it would be redundant anyway? userContextKey=wsrp:minimal means guest, if passed the producer could also assume wsrp:minimal category in that case. Mit freundlichen Gruessen / best regards, Richard Jacob ______________________________________________________ IBM Lab Boeblingen, Germany Dept.8288, WebSphere Portal Server Development WSRP Standardization Technical Lead Phone: ++49 7031 16-3469 - Fax: ++49 7031 16-4888 Email: mailto:richard.jacob@de.ibm.com Michael Freedman <Michael.Freedman @oracle.com> To wsrp-interop@lists.oasis-open.org 06/04/2004 01:21 cc AM Subject Re: [wsrp-interop] guest/anonymous user access revisited I managed to take a brief look at these materials and wonder if we ended up at the following: 1. Passing null as the user context still exists and still means the consumer doesn't know who the user is -- i.e. this is an anonymous/guest user however representing it this way means the consumer can't pass any user category information. 2. If a consumer supports "guest" categories they must use an alternative way to represent the guest user. To do this they pass a userContext of "wsrp:minimal" 3. Consumers can only map consumer categories that a guest is in to wsrp:minimal. It can only do this if the producer actually says it uses/cares about wsrp:minimal. 4. In an such a conducive environment the consumer needs a way to communicate/distinguish between a guest that isn't mapped to wsrp:minimal and a guest that is. I.e. the user of the consumer might have decided that guest categories shouldn't be mapped to anything in this producer [not "wsrp:minimal"] and hence wants to communicate that its guests run with no user cateory [i.e. NOT wsrp:minimal] I.e. in the end we said wsrp:minimal is the only valid user category for a guest user because such a beast is a special case and we had no way to distinguish [allow a producer to declare] which user categories apply to this special case vs the typical "all user case". However, once we said there was a way to have a meaningful user category for a guest then we needed a way to distinguish between a consumer that says its guest should have that user category vs. the absence of that category. If this makes sense/sounds right then I think what we have is still okay and doesn't need changing -- we merely need to take our minutes and expand it into real words describing motivations and explaning uses. -Mike- Richard Jacob wrote: here is the link to our original decision captured in the minutes: http://www.oasis-open.org/apps/org/workgroup/wsrp/wsrp-interop/download.php/2925/20030717%20WSRP%20Interoperability%20Minutes.doc This one has not found its way to the spec, and was planned to be part of the errata. Currently this is a Interop SC convention communicated to the TC. Please review the minutes, and my summary and let me know your opinions. Mit freundlichen Gruessen / best regards, Richard Jacob ______________________________________________________ IBM Lab Boeblingen, Germany Dept.8288, WebSphere Portal Server Development WSRP Standardization Technical Lead Phone: ++49 7031 16-3469 - Fax: ++49 7031 16-4888 Email: mailto:richard.jacob@de.ibm.com Richard Jacob/Germany/IBM @IBMDE To wsrp-interop@lists.oasis-open.org 06/03/2004 01:06 cc PM Subject [wsrp-interop] guest/anonymous user access revisited Hi all, we had the discussion about guest/anonymous user conventions some time ago. I volunteered to pick this up again and search for the rationales that led to our convention. First, here is a summary of why we felt we need to revisit this issue: 1. Producers are not required to provide any categories in the ServiceDescription.userCategoryDescriptions 2. Consumers are not allowed to specify any userCategory not defined in the Producer's ServiceDescription 1+2=3. If the Producer does not define any user category being supported, the convention we've choosen prevents the Consumer to specify an anonymous user simply because it would contradict either 2. or the convention -> no way out for the Consumer. Personally, I don't remember why we argued that userCategory in the userContext has to be wsrp:minimal, too. I guess the argument here was that a guest user is considered a user with minimal category as defined in the spec and therefor it would not be convienient to assert a higher degree category to a guest user. But as said, what if the Producer does not define wsrp:minimal as supported? In the end the producer prevents guest user category assertions in this case -- which could be perfectly valid, this would be a kind of a negotiation then? If the contextKey is wsrp:minimal the Producer already knows that it's a guest user and can assert whatever category he likes for that user (if he supports any, otherwise the discussion is obsolet). If the Consumer for instance sends wsrp:full in conjunction with wsrp:minimal contextKey, the Producer should be free to ignore that and reset it to wsrp:minimal? I finally found the thread (we moved it to the wsrp mailing list to target a larger audience) in July 2003. I found no real rationale for having a must for both: userContextKey and userCategory=wsrp:minimal. The only indications I found were that we maybe wanted to express that guest users fit in exactly this one category (then why do we want to assert one?) However as I wrote in my summary, the producer can always interpret the userContextKey=wsrp:minimal as a guest and therefor ignore any categoryAssertions from the Consumer and choose wsrp:minimal (or any other he uses for such a group of users). The initial intent comming from Mike was to actually ASSERT a category to such a user class, therefore we defined our dummy userContextKey. From todays point of view we actually PREVENTED that any other category can be asserted to this user set! Mike, I wonder why you didn't stand up :-) Atul also raised the question, whether a userContext=null couldn't also mean this guest user? In that case we loose the initial intent to assert categories to guest users. So I see the following flaws currently and the following options: 1. we need to get rid of the MUST of userCategory=wsrp:minimal in that case.Otherwise it doesn't make any sense to assert any category, the Producer could always make a default assertion to wsrp:minial or any other category if he sees userContextKey=wsrp:minimal 2. user userContextKey=wsrp:minimal for guest user's and allow the consumer to assert any category for these users (which the producer declared as supported) -- it's another question if the producer follows this assertion. 3. userContext=null as defined currently: no assumptions about the user, no (predefined) category assertions 4. userContext=null equals anonymous user?: producer can treat the user as he would treat it in 2. but assert a default "guest" category of its choice (I think consumer would do something anyways and is already covered). My opinion is: we should do 1., 2. and 3.. Mit freundlichen Gruessen / best regards, Richard Jacob ______________________________________________________ IBM Lab Boeblingen, Germany Dept.8288, WebSphere Portal Server Development WSRP Standardization Technical Lead Phone: ++49 7031 16-3469 - Fax: ++49 7031 16-4888 Email: mailto:richard.jacob@de.ibm.com To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wsrp-interop/members/leave_workgroup.php . To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wsrp-interop/members/leave_workgroup.php .
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]