[OGSA-BES-WG] The up-to-date specification?
Christopher Smith
csmith at platform.com
Wed Feb 20 11:58:24 CST 2008
On 20/2/08 09:39, "Steven Newhouse" <Steven.Newhouse at microsoft.com> wrote:
>> Authentication and authorization are orthogonal to each other and out
>> of scope of BES.
>
> This is what I was trying to get across earlier. It's a property of the
> container and the service hosting policy NOT something the service should have
> to enforce. Only authenticated and authorized requests should make it to the
> service implementation.
>
> That is why there is no NotAuthorizedFault in the BESManagement port type
> operations.
>
> WS-Security just authenticates you. Your container (should) perform an
> authorization decision before passing your message on to your service.
>
It's true that WS-Security already deals with the authentication fault, but
authorization is the property of the container (can this authenticated user
perform this management action?), so perhaps these operations should be able
to thrown a NotAuthorizedFault. I'm a bit surprised it's not there, and
given that many probably haven't implemented this port type, I'm not
surprised it hasn't had more scrutiny.
-- Chris
More information about the ogsa-bes-wg
mailing list