On 20/2/08 09:39, "Steven Newhouse" <Steven.Newhouse@microsoft.com> wrote:
Authentication and authorization are orthogonal to each other and out of scope of BES.
This is what I was trying to get across earlier. It's a property of the container and the service hosting policy NOT something the service should have to enforce. Only authenticated and authorized requests should make it to the service implementation.
That is why there is no NotAuthorizedFault in the BESManagement port type operations.
WS-Security just authenticates you. Your container (should) perform an authorization decision before passing your message on to your service.
It's true that WS-Security already deals with the authentication fault, but authorization is the property of the container (can this authenticated user perform this management action?), so perhaps these operations should be able to thrown a NotAuthorizedFault. I'm a bit surprised it's not there, and given that many probably haven't implemented this port type, I'm not surprised it hasn't had more scrutiny. -- Chris