[
https://issues.apache.org/jira/browse/JENA-990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14632778#comment-14632778
]
Andy Seaborne edited comment on JENA-990 at 7/19/15 10:58 AM:
--------------------------------------------------------------
> Basically if the graph is read-only authentication will not solve the add
> denied exception – right?
Yes, a read-only graph is not a (necessarily) security issue. Hence:
I think the "AccessDeniedException" I suggested is what you call
AuthenticationRequiredException.
I haven't see a case of a situation which is OperationDeniedException but not
AccessDeniedException and it seems there is redundancy:
OperationDeniedException > AddDeniedException
OperationDeniedException > DeleteDeniedException
OperationDeniedException > AuthenticationRequiredException
Should there be an PermissionsFailedException to go with
AuthenticationRequiredException? PermissionsFailedException means that
authentication says no. AuthenticationRequiredException means ask for
authentication.
AuthenticationRequiredException => 403
PermissionsFailedException => 401
AddDeniedException, and all OperationDeniedException, means => "Can't" which
would be 400 (the best choice in HTTP).
was (Author: andy.seaborne):
> Basically if the graph is read-only authentication will not solve the add
> denied exception – right?
Yes, a read-only graph is not a (necessarily) security issue. Hence:
I think the The "AccessDeniedException" I suggested is what you call
AuthenticationRequiredException.
I haven't see a case of a situation which is OperationDeniedException but not
AccessDeniedException and it seems there is redundancy:
OperationDeniedException > AddDeniedException
OperationDeniedException > DeleteDeniedException
OperationDeniedException > AuthenticationRequiredException
Should there be an PermissionsFailedException to go with
AuthenticationRequiredException? PermissionsFailedException means that
authentication says no.
AuthenticationRequiredException => 403
PermissionsFailedException => 401
AddDeniedException => "Can't": not a security issue => 400
> rename the UpdateDeniedException
> ---------------------------------
>
> Key: JENA-990
> URL: https://issues.apache.org/jira/browse/JENA-990
> Project: Apache Jena
> Issue Type: Improvement
> Components: Core
> Affects Versions: Jena 3.0.0
> Reporter: Claude Warren
> Assignee: Claude Warren
> Priority: Minor
>
> As noted in a discussion on the dev list between myself and Andy this update
> is to rename the current UpdateDeniedException to AccessDeniedException and
> extend it from a newly created OperationDeniedException.
> AddDeniedException and DeleteDeniedException will extend
> AccessDeniedException.
> jena-permissions will extend AccessDeniedException to create:
> ReadDeniedException -- for read restrictions
> UpdateDeniedException -- for update restrictions (modifying triples that
> already exists as opposed to adding new triples)
> This will allow Fuskei to properly respond to the case where jena-permissions
> is in place and there are update restrictions in place. Currently Fuseki
> returns this as a 500 error. Once we have a common permission denied
> exception we can return either authentication required or access denied as
> appropriate.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
