[Login service] Conflicting role management requirements

[apinder]

The below statements from the requirements appear to be contradictory:

3.3.1 The responsibility for maintenance of the login roles is outside the scope of this specification as it is a deployment issue to define the possible roles and associate users to those roles.

and these two:

3.3.7.2 c) If roles are required by the system and the role field of the supplied Profile structure is NULL then an INVALID error shall be returned. 3.3.7.2 d) If roles are not used by the system the role field of the supplied Profile structure shall be ignored and may be set to NULL.

To determine whether the roles are required by the system you need to know implementation details of a particular deployment therefore the login service can never know whether or not roles are required or not unless we provide a way for the deployment to notify the login service of this.

[SamCooper]

I'm not sure they are, the first is just saying that we don't provide any operations to create/modify/etc the roles. The second is saying that roles are optional and what to do about that.

I do agree however that you last sentence is correct, there is no way of determining whether roles are required or not. However, security systems should not report whether specific fields are missing or wrong during a log in attempt (just that it failed) as this gives hints to attackers.

[SamCooper]

Actually thinking about it you can use the listRoles operation, that returns NULL if roles are not used.