
If you fail authorization under the container's rule it is the container that sends the fault
And that is what I've been asking for - what the fault should look like. I have my own container (which does authentication and authorization) so I must choose the most suitable fault to return.
By container I mean the web service hosting environment NOT the BES Container. It is therefore not a BES specific fault that gets sent.
Summing up, the only solution I can see now is to return standard SOAP fault with added human readable description saying that this general fault was thrown because of an authorization failure so that the client at the other side knows the reason her call was rejected.
If I'm not authorized to access a WCF service (as an example) the error message I get back as a client is very vague. Just knowing there is a service there that is rejecting you is very useful bit of information for a hostile client. Better to make it appear the message just failed to connect. Server side there should be clear logging to indicate why the connection was dropped - not authenticated and/or not authorized. Steven