400 Bad syntax or 403 Semantic error

[ches151]

Hi, I was going through the SDMX RESTfull error handling wiki page and stumbled upon this line Semantic error (403): If your request is syntactically correct but fails a semantic validation, a 403 code will be returned. which is confusing taking into account what www.w3.org says about the HTTP 403 code here and what SDMX 2.1 Web Services Guidelines state in Paragraph 5.8 SDMX to HTTP Error Mapping

So, my questions are:

1. Is Semantic error (403) just a misprint here: https://github.com/sdmx-twg/sdmx-rest/wiki/Error-handling? I guess that it should be Semantic error (400).
2. What am I supposed to return when client is authenticated but has not been authorized to access the requested data set? Based on HTTP 1.1 Status Code Definitions I should use 403 Forbidden.

Thank you, Denis

[sosna]

Hi Denis,

Thanks for reporting this. I think we should give a better example in the Wiki.

Our intention was to use 403 for cases where SDMX web services need to throw an exception because a syntactically valid request is not allowed within a particular context. For example, a registry client could send a request to update a final artefact, which is an operation that is not allowed by the standard.

In our understanding, this matches the W3C definition: "The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated."

Regarding your second point, 403 should be the right code indeed.

Let us know if the above is fine with you and I'll update the Wiki accordingly.

Cheers, Xavier

[ches151]

Thank you Xavier, I will use 403 for the case when user is not allowed to perform an action.

But after your explanation it seems that the highlighted part in the Paragraph 5.8 of SDMX 2.1 Web Services Guidelines is outdated - is that true?

One more question: which standard should I refer for HTTP status codes when my case is not covered in SDMX RESTfull error handling wiki page? Case 1: my implementation of SDMX should deny access for non-authenticated clients. Case 2: client has authenticated but has no rights to query particular data set.

[chris-beer]

Hi Denis, Xavier, all

Noting also for 403: "If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. "

Perhaps we can include a note on the wiki around:

a) What we mean by "fails semantic validation" for a syntactically correct (non-HEAD) request which returns a 403 (for the non-technical users) and

b) provide an implementation example (especially in adhering to HATEOS principles) of a meaningful error response in the use case below to go along with the very fine plain english explanation here ("For example, a registry client could send a request to update a final artefact, which is an operation that is not allowed by the standard. ")

Cheers

Chris

Chris Beer Australian Bureau of Statistics

The Australian Bureau of Statistics acknowledges the traditional custodians of country throughout Australia and recognises their continuing connection to land, waters and community. We pay our respects to them and their cultures, and elders, both past and present

From: Xavier Sosnovsky notifications@github.com To: sdmx-twg/sdmx-rest sdmx-rest@noreply.github.com, Date: 05/04/2016 12:03 AM Subject: Re: [sdmx-twg/sdmx-rest] 400 Bad syntax or 403 Semantic error (#34)

Hi Denis,

Thanks for reporting this. I think we should give a better example in the Wiki.

Our intention was to use 403 for cases where SDMX web services need to throw an exception because a syntactically valid request is not allowed within a particular context. For example, a registry client could send a request to update a final artefact, which is an operation that is not allowed by the standard.

In our understanding, this matches the W3C definition: "The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated."

Regarding your second point, 403 should be the right code indeed.

Let us know if the above is fine with you and I'll update the Wiki accordingly.

Cheers, Xavier

— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub

[sosna]

OK, Denis, I will update the Wiki then.

Regarding your questions:

• Yes, you are right, the PDF published on the SDMX website still refer to the previous version of the spec. @airosa and I still need to generate the new file.
• I would simply refer to the documentation offered by the W3C. We tend to not repeat the information available elsewhere, but if you believe it would be helpful for implementers if we give examples of additional codes, don't hesitate to let us know by creating an issue.

Chris, OK, I will give it a try on the Wiki, for point a. Regarding point b, you mean we should suggest going beyond what the HTTP response headers and use (for example), the error attribute of an SDMX-JSON object? Or did you have something else in mind?

[ches151]

Thank you Xavier for the explanation!

[sosna]

Added an example to the Wiki page.