REST风格的认证作为国家的一种形式 [英] RESTful authentication as a form of state
问题描述
它的无法有身份验证,而不状态。因此,在设计与验证基于REST的软件时,我们妥协这个架构secuirty的缘故?这怎么能走多远?你可以存储状态的任何金额,只要它在建立一个更安全的系统的努力吗?
Its impossible to have authentication without state. So when designing RESTful software with authentication do we compromise this architecture for the sake of secuirty? How far can this go? Can you store any amount of state as long as its in the effort of building a more secure system?
重新presentation状态转移或REST 拥有多项核心设计概念。其中最重要的是,REST必须的无国籍的或引用Wikipeida:
Representation State Transfer or REST has a number of core design concepts. One of the most important is that REST must be stateless or to quote Wikipeida:
......在休息状态下的客户端能够
与用户进行交互,但是不能创建
负载和不消耗每个客户端
在服务器上存储或在
网络。
"... A client in a rest state is able to interact with its user, but creates no load and consumes no per-client storage on the servers or on the network."
然而,一个用户名和密码是通过定义一个的状态的独特到客户端,并随时可能更改。更进一步客户可以有状态的被验证,否则他们将有有限或没有接入。
However, a usernames and passwords are by definition a state that unique to a client and is subject to change. Further more a client can have the state of being authenticated, or otherwise they would have limited or no access.
推荐答案
REST风格的系统有两种类型的状态。客户端应用程序状态和资源状态。关于资源状态最重要的是,它应该有一个标识符,像一个URL。
RESTful systems have two types of state. Client application state and resource state. The important thing about resource state is that it should have an identifier, like an URL.
通过URL不管是谁访问它应该返回相同的信息访问资源状态(假设有足够的授权)。
Accessing resource state via a URL should return the same information regardless of who accesses it ( assuming sufficient authorization).
服务器会话状态食堂的事情了。这使书签更靠谱,共享的URL更加困难,缓存比较困难。
Server session state messes things up because people use it vary the contents of the response based on who is requesting the the resource. That makes bookmarking more tricky, sharing urls more difficult, caching more difficult.
不幸的是,维基百科的报价过于宽泛,开放misinter pretation。对于我来说,思考它的最简单的方法是服务器不应该有关于客户端的当前状态的知识。
Unfortunately the wikipedia quote is overly broad and open for misinterpretation. For me, the easiest way of thinking about it is that the server should have no knowledge about the current state of the client.
鉴定客户端不需要你随时了解客户信息一旦被验证。所需要的所有是,在接下来的请求,再次进行身份验证。
Authenticating a client does not require you to keep information about the client once they are authenticated. All that is required is that on the next request, you authenticate again.
这篇关于REST风格的认证作为国家的一种形式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
