Return-Path: 
 <users-return-253928-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 44919184B2
	for <apmail-tomcat-users-archive@www.apache.org>;
 Mon, 29 Jun 2015 14:56:03 +0000 (UTC)
Received: (qmail 11666 invoked by uid 500); 29 Jun 2015 14:55:59 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 11604 invoked by uid 500); 29 Jun 2015 14:55:59 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 11593 invoked by uid 99); 29 Jun 2015 14:55:59 -0000
Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Jun 2015 14:55:59 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org)
 with ESMTP id C909218275B
	for <users@tomcat.apache.org>; Mon, 29 Jun 2015 14:55:58 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level: 
X-Spam-Status: No, score=0 tagged_above=-999 required=6.31
	tests=[SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled
Received: from mx1-eu-west.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new,
 port 10024)
	with ESMTP id wala9Di2R_Tv for <users@tomcat.apache.org>;
	Mon, 29 Jun 2015 14:55:48 +0000 (UTC)
Received: from thor.wissensbank.com (h2401423.stratoserver.net
 [81.169.250.120])
	by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with
 ESMTP id AC1032136C
	for <users@tomcat.apache.org>; Mon, 29 Jun 2015 14:55:47 +0000 (UTC)
Received: from thor.wissensbank.com (localhost [127.0.0.1])
	by thor.wissensbank.com (Postfix) with ESMTP id 6265115A60021
	for <users@tomcat.apache.org>; Mon, 29 Jun 2015 16:55:41 +0200 (CEST)
Received: by thor.wissensbank.com (Postfix, from userid 500)
	id 56CF415A6004B; Mon, 29 Jun 2015 16:55:41 +0200 (CEST)
Received: from [192.168.245.214]
 (HSI-KBW-46-237-244-162.hsi.kabel-badenwuerttemberg.de [46.237.244.162])
	(Authenticated sender: andre.warnier@ice-sa.com)
	by thor.wissensbank.com (Postfix) with ESMTPA id CBFD315A60021
	for <users@tomcat.apache.org>; Mon, 29 Jun 2015 16:55:40 +0200 (CEST)
Message-ID: <55915C68.1060605@ice-sa.com>
Date: Mon, 29 Jun 2015 16:55:36 +0200
From: =?UTF-8?B?QW5kcsOpIFdhcm5pZXI=?= <aw@ice-sa.com>
Reply-To: aw@ice-sa.com
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: [OT] Re: Filter behaviour
References: 
 <CA+EUcEPEKDX+k-Zc2Hi+0QYqGyQetXoGf3DBssas3RVjyeDH-A@mail.gmail.com>
 <CY1PR0501MB1612C4E073E63592D781BA2ACCAA0@CY1PR0501MB1612.namprd05.prod.outlook.com>
In-Reply-To: 
 <CY1PR0501MB1612C4E073E63592D781BA2ACCAA0@CY1PR0501MB1612.namprd05.prod.outlook.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP

George Stanchev wrote:
> For SOAP, you *MUST* send back 500 or 400 with your SOAP fault back.
> 
> [1] http://www.w3.org/TR/soap12-part2/#tabresstatereccodes

Not to start a fight on SOAP on this Tomcat forum, but in the wording of the section 
referenced above, I definitely do not see that you *MUST* send a 5xx or 4xx Status Code back.
One should start reading a bit earlier, at "7.5.2.2 Receiving".
The gist seems to be : send a 2xx code back, along with a SOAP envelope containing the 
SOAP fault, or if you cannot, then use one of the HTTP error codes below.
But sending /only/ a HTTP error code is, in my view, confusing for the client, because it 
would not be able to distinguish between a HTTP transport error, and a service-level error.

> 
> -----Original Message-----
> From: Leo Donahue [mailto:donahulf2@gmail.com] 
> Sent: Saturday, June 27, 2015 11:45 PM
> To: Tomcat Users List
> Subject: [OT] Re: Filter behaviour
> 
> On Sat, Jun 27, 2015 at 8:37 AM, Konstantin Kolinko <knst.kolinko@gmail.com>
> wrote:
> 
>>>     public void doFilter(ServletRequest request, ServletResponse
>> response,
>>> FilterChain chain) throws IOException, ServletException
>>>     {
>>>         boolean iAmNotAuthorized = true;
>>>
>>>         if (iAmNotAuthorized)
>>>         {
>>>             // generate the HTTP Servlet Response for a 403 status code
>>>             HttpServletResponse httpResponse = (HttpServletResponse) 
>>> response;
>>>             //httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
>>>             httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
>>>             httpResponse.setHeader("WWW-Authenticate", "Basic");
>> "WWW-Authenticate" header is usually used with 401 response.
>>
>> It is unusual to use it with 403 one, though the spec does not forbid 
>> it. (I am not sure how browsers react here, though)
>>
>> http://tools.ietf.org/html/rfc7235#section-4.1
>>
>>
>> Best regards,
>> Konstantin Kolinko
>>
>>
> http://tools.ietf.org/html/rfc7231#section-6.5.3
> 
> And we "may" send a 404 to hide the existence of a forbidden target.  It's misleading.  That seems to open the door for any kind of response, or no response.
> 
> I am on the fence about sending 401 or 403 responses from a web service.
> They both indicate "something is there, you just can't get to it".
> 
> The 401 alludes that something is wrong with your username/password.
> 
> The 403 is more vague.  You "may" have the right username and password (and I'm not going to bother to tell you), but your account "may" not have the correct role associated with using this service, so rather than say anymore, I'll just let you know you are forbidden.  Users have no idea, other than there is something good at the end of this request for me to be forbidden.
> 
> From the perspective of troubleshooting customer requests to your published web service, developers can log the unsuccessful attempt (Authentication or
> Authorization) and review the log files for answers to trouble shooting, but sending back a status code doesn't seem to always make sense depending on what types of application clients your customers are using.
> 
> For example:
> 
> Suppose you call a SOAP web service that takes an object as a parameter and that service returns another type of object.  When customers expect an object, they may get a HTTP status code of 401 or 403 if they botched sending the correct username/password in the authentication header.  And maybe, their password is merely expired.  In situations like those, it seems more reasonable to send back a Soap Fault of some kind as defined in the schema.  The message could be as simple as: Authorization failed.
> 
> It seems easier for clients to know that a soap web service may throw a ClientAuthorizationException for example, rather than parse out a HTTP status code response?
> 
> I don't know though.
> 
> Leo
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org