When SOAP or ITK validation fails, should it be Client error (4xx) rather than Server error (5xx)
Closed this issue · 2 comments
Description
When validation fails should it be a client error status in the HTTP status code?
At the moment is 500
The implication of this is the status code implies something wrong in the server, so it implies the server needs a fix (deployment, or implementation code), while actually, the problem is the client needs to send a correct message with the correct configuration. So, when the client received this error, they assume the server may be temporarily down and retry it later. While if the client receives 400x (client), they should assume something wrong with their configuration or code.
Component
NHS111 adapter
Version
0.2.0
Step to Reproduce
Send a message with invalid SOAP
Test Data
Any data
Preconditions
None
Environment
local environment
Severity
high
Priority
low
Expected Behavior
should return 4xx HttpStatus Code
Hi @Kusnaditjung l've spoken to a couple of other people here at NHS Digital about this one.
While we would agree that it might seem strange to return a 500 error for something that the client got wrong, the following suggests that in particular when using SOAP any SOAP faults (which would include malformed or incorrect soap headers) MUST be returned with a code 500.
See https://www.ibm.com/support/pages/soap-faults-must-be-sent-http-500-error-code
And https://www.w3.org/TR/2000/NOTE-SOAP-20000508/ section 6.2
“In case of a SOAP error while processing the request, the SOAP HTTP server MUST issue an HTTP 500 "Internal Server Error" response and include a SOAP message in the response containing a SOAP Fault element (see section 4.4) indicating the SOAP processing error.”
So for typical http usage its rather odd but for SOAP we would say the spec was correct.
I see this issue can be closed.