UWS 0.4

[Patrick Dowler]

On 2008-6-16 05:13, Guy Rixon wrote:
> I see UWS sites split into two classes w.r.t security: those that  
> control access to the data and those that don't (the majority). The  
> secured ones ought to do as you and Pat suggest. For the unsecured  
> ones, access is anonymous, so there's no problem with listing the  
> jobs or even the job details.

If I was to implement a UWS service that accepted anonymous job submission,
I would return a 403 (FORBIDDEN) if someone tried to GET the job list itself. 
I just don't think astronomers will use something for research if anyone can 
see their work in progress (or attempted work). ** this is with an otherwise 
unsecured service **

IF I was to implement some sort of authenticated access (where users could see 
their own jobs in the job list, or an admin role could see everything) then I 
would return a 401 (UNAUTHORIZED) which says the same thing as 403 except 
that authenticating will potentially change access. In vanilla http the 401 
would normally include a challenge for basic or digest authentication, so the 
details of the authentication mechanism may effect the legitimacy of this 
(eg. have no read the SSO in detail :-)

I don't see anything in the UWS pattern that would forbid me implementing a 
service this way, so I have no problem with things as they are now... just 
thought I would mention that in general I would not expect the job list to be 
visible.

-- 

Patrick Dowler
Tel/Tél: (250) 363-6914                  | fax/télécopieur: (250) 363-0045
Canadian Astronomy Data Centre   | Centre canadien de donnees astronomiques
National Research Council Canada | Conseil national de recherches Canada
Government of Canada                  | Gouvernement du Canada
5071 West Saanich Road               | 5071, chemin West Saanich
Victoria, BC                                  | Victoria (C.-B.)