On 2008-6-16 05:13, Guy Rixon wrote:
> I see UWS sites split into two classes w.r.t security: those that
> control access to the data and those that don't (the majority). The
> secured ones ought to do as you and Pat suggest. For the unsecured
> ones, access is anonymous, so there's no problem with listing the
> jobs or even the job details.
If I was to implement a UWS service that accepted anonymous job submission, I would return a 403 (FORBIDDEN) if someone tried to GET the job list itself. I just don't think astronomers will use something for research if anyone can see their work in progress (or attempted work). ** this is with an otherwise unsecured service **
IF I was to implement some sort of authenticated access (where users could see their own jobs in the job list, or an admin role could see everything) then I would return a 401 (UNAUTHORIZED) which says the same thing as 403 except that authenticating will potentially change access. In vanilla http the 401 would normally include a challenge for basic or digest authentication, so the details of the authentication mechanism may effect the legitimacy of this (eg. have no read the SSO in detail :-)
I don't see anything in the UWS pattern that would forbid me implementing a service this way, so I have no problem with things as they are now... just thought I would mention that in general I would not expect the job list to be visible.
-- Patrick Dowler Tel/Tél: (250) 363-6914 | fax/télécopieur: (250) 363-0045 Canadian Astronomy Data Centre | Centre canadien de donnees astronomiques National Research Council Canada | Conseil national de recherches Canada Government of Canada | Gouvernement du Canada 5071 West Saanich Road | 5071, chemin West Saanich Victoria, BC | Victoria (C.-B.)Received on 2008-06-16Z18:53:28