Better response codes for invalid requests

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Better response codes for invalid requests

Nick King
Hi,

We have a live connection (CONNECT version: 4.4.1) with a partner gateway and found that when we receive a request (QD in this case) which is missing the subject:role SNOMED value in the SAML header like below:

<Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role">
    <AttributeValue/>
</Attribute>

instead of

<Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role">
    <AttributeValue>
        <Role xsi:type="CE" code="112247003" codeSystem="2.16.840.1.113883.6.96" codeSystemName="SNOMED_CT" displayName="CMC PHYSICIAN " xmlns="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"/>
    </AttributeValue>
</Attribute>

An exception is thrown and an HTTP 500 response is returned to the sender rather than an error in a SOAP response. The 'Nationwide Health Information Network (NHIN) Authorization Framework Specification V 3.0' states the following about the role attribute:

3.2.2.5 Role Attribute
This <Attribute> element shall have the Name attribute set to "urn:oasis:names:tc:xacml:2.0:subject:role”. The value of the <AttributeValue> element is a child element, “Role”, in the namespace “urn:hl7-org:v3”, whose content is defined by the “CE” (coded element) data type from the HL7 version 3 specification.
The codeSystem is defined to be “2.16.840.1.113883.6.96" and the codeSystemName is defined to be "SNOMED_CT". The Role Element shall contain the SNOMED CT value representing the role that the user is playing when making the request. The value set to be used is “User Role” and the OID 2.16.840.1.113883.3.18.6.1.156 as defined in HITSP C80."

Our partner retries messages that return an HTTP 500 response meaning we end up receiving repeated versions of the invalid request.

Should CONNECT be responding with HTTP 500 status codes under this scenario?
Reply | Threaded
Open this post in threaded view
|

RE: Better response codes for invalid requests

Minh
Administrator

Hi Nick,

 

You probably know that your partner sends wrong format in subject:role element.  That causes the exception to happen.  However, when CONNECT catches any exception, it will throw SOAP fault in response message along with 500 error code in header. The SOAP specification under section 6.2 SOAP HTTP Response  (https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383510) indicates that requirement. 

 

Below is sample soap response when exception happens:

-----------------------------------------

Response-Code: 500

Encoding: UTF-8

Content-Type: application/soap+xml;charset=UTF-8

Headers: {connection=[keep-alive], content-type=[application/soap+xml;charset=UTF-8], Date=[Thu, 28 Apr 2016 17:42:37 GMT], Server=[WildFly/8], transfer-encoding=[chunked], X-Powered-By=[Undertow/1]}

Payload: <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><Action xmlns="http://www.w3.org/2005/08/addressing">urn:gov:hhs:fha:nhinc:nhinccomponentauditrepository:AuditRepositoryManagerSecuredPortType:LogEvent:Fault:RuntimeException</Action><MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:fbcd3147-29d2-4c4b-a378-6024c3290837</MessageID><To xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/anonymous</To><RelatesTo xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:1e1c109c-f20e-4e16-b8b6-f2078a032726</RelatesTo><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="true"><wsu:Timestamp wsu:Id="TS-31"><wsu:Created>2016-04-28T17:42:37.765Z</wsu:Created><wsu:Expires>2016-04-28T17:47:37.765Z</wsu:Expires></wsu:Timestamp><wsse11:SignatureConfirmation xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" Value="lMst5iC1NovA7Yct1moJyt/tqTpHHVbWzxRBJ2LfQ65JlaXogt8oplh8gAWu/jYpq/BBfyNl+Qzyv5oWY3VIVfAOs2RlOE85Iy9Rj7ep+1HwJw3v8b3E8NK6uIEE9vW/DsSGYoTbkI5eaYZQDEcTbdBQLzfjzOzvmBq9pY6+Cpw=" wsu:Id="SC-32"/></wsse:Security></soap:Header><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Receiver</soap:Value></soap:Code><soap:Reason><soap:Text xml:lang="en">Error occurred calling AuditRepositoryImpl.logAudit. Error: Index: 0</soap:Text></soap:Reason></soap:Fault></soap:Body></soap:Envelope>

 

Thanks,

 

Minh-Hai Nguyen

[hidden email]

 

From: Nick King [via CONNECT Forums] [mailto:ml-node+[hidden email]]
Sent: Wednesday, April 27, 2016 6:26 PM
To: Nguyen, Minh-Hai (CGI Federal) <[hidden email]>
Subject: Better response codes for invalid requests

 

Hi,

We have a live connection (CONNECT version: 4.4.1) with a partner gateway and found that when we receive a request (QD in this case) which is missing the subject:role SNOMED value in the SAML header like below:

<Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role">
    <AttributeValue/>
</Attribute>

instead of

<Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role">
    <AttributeValue>
        <Role xsi:type="CE" code="112247003" codeSystem="2.16.840.1.113883.6.96" codeSystemName="SNOMED_CT" displayName="CMC PHYSICIAN " xmlns="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"/>
    </AttributeValue>
</Attribute>

An exception is thrown and an HTTP 500 response is returned to the sender rather than an error in a SOAP response. The 'Nationwide Health Information Network (NHIN) Authorization Framework Specification V 3.0' states the following about the role attribute:

3.2.2.5 Role Attribute
This <Attribute> element shall have the Name attribute set to "urn:oasis:names:tc:xacml:2.0:subject:role”. The value of the <AttributeValue> element is a child element, “Role”, in the namespace “urn:hl7-org:v3”, whose content is defined by the “CE” (coded element) data type from the HL7 version 3 specification.
The codeSystem is defined to be “2.16.840.1.113883.6.96" and the codeSystemName is defined to be
"SNOMED_CT". The Role Element shall contain the SNOMED CT value representing the role that the
user is playing when making the request. The value set to be used is “User Role” and the OID
2.16.840.1.113883.3.18.6.1.156 as defined in HITSP C80."

Our partner retries messages that return an HTTP 500 response meaning we end up receiving repeated versions of the invalid request.

Should CONNECT be responding with HTTP 500 status codes under this scenario?


If you reply to this email, your message will be added to the discussion below:

http://forums.connectopensource.org/Better-response-codes-for-invalid-requests-tp7580181.html

To start a new topic under CONNECT Users, email [hidden email]
To unsubscribe from CONNECT Forums, click here.
NAML

Minh-Hai Nguyen
CONNECT Product Team Member