如何使用SOAP做认证？ [英] How to do authentication using SOAP?

问题描述

我如何使用SOAP验证用户身份？

How do I authenticate users with SOAP?

我是否有权要求用户与每个SOAP请求发送自己的用户名和密码，我验证了他对数据库？

Will I have to require the user to send his username and password with every SOAP request and I authenticate him against the database?

不，似乎造成不必要的查询？

Doesn't that seem to cause unnecessary queries?

推荐答案

这是更简单的方法将是在第一个查询验证，构建你给上载的远程IP地址在服务器端的会话记录和令牌客户端作​​为的authToken。然后在客户端通过这个的authToken今后查询。这具有的authToken，以配合您保持对客户的内部会话数据，但将允许您以避免使往返到数据库只是做认证。

An easier way would be to authenticate on the first query, build a session record on the server side containing the remote IP address and a token that you give to the client as an authToken. Then have the client pass this authToken in future queries. This authToken has to match the internal session data you keep about the client, but would allow you to avoid having to make round-trips to the database just to do authentication.

这是说，亚当斯@Marcus下面有一个好点的就无状态的烦躁。还有人在那里推各种 SOAP安全模型的。 的WS-Security 是本领域的当前状态，在这里。他们通过投入SOAP头验证信息所有的工作 - 毕竟，这就是为什么一个SOAP消息包含一个标题和一个正文部分。

That said, @Marcus Adams has a good point below with regard to stateless-ness. There are people out there pushing all sorts of SOAP security models. WS-Security is the current state of the art, here. They all work by putting authentication information in the SOAP header - after all, that's why a SOAP message contains both a header and a bodypart.

这篇关于如何使用SOAP做认证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！