无状态服务器如何工作? [英] How do stateless servers work?
问题描述
如何配置spring-security来做到这一点?
跨服务器跟踪用户对于真正的无状态服务器端来说非常棘手。大多数情况下,事情都是一个无状态的服务器,登录是例外。然而,无状态服务器的重要之处在于它使群集非常简单,因此可以水平扩展。
在Java中,您可以使用cookie来存储凭证,或使用分布式哈希。通常,人们接受使用类似于memcache的东西,并且说他们是无状态的,因为状态存储在web服务器之外。这允许用户使用农场中的任何Web服务器,并仍然可以安全地进行身份验证。在Java中,我们有大量的分布式哈希实现,您可以在spring中使用,因此您不必使用memcache来执行此操作。
另一个选项是使用cookie存储称为HMAC的加密安全散列票证。使用cookies避免使用会话,因此Web服务器是无状态的。使用HMAC,您可以签署一组无法伪造或由第三方创建的数据块,并保证从您发起。这不需要外部服务器资源(高速缓存)对用户进行身份验证,因此它可以更好地扩展,但是您需要注意一些安全问题。仅供参考Google使用此技术进行水平缩放。一个HMAC不像SHA1或其他cyrpto-hashes。它们需要密钥必须位于服务器场中的每个服务器上。这还必须使用对称加密密钥来保护,以确保在某人获得该文件的位置时将其安全地存储在服务器上。此外,HMAC信息存储在明文中,因此您可以将用户名或电子邮件放入cookie中,任何人都可以使用实际的加密哈希。如果有人想知道这个cookie,他们可以伪装成该用户。这就是为什么HMAC通常仅在一定时间内有效。之后,他们到期,所以如果有人确认他们,他们不能永远访问该帐户。所以HMAC有这个弱点,你应该小心你的应用程序使用它们。对于PayPal来说,这将是一个非常糟糕的主意,因为我所要做的就是获得安全的cookie,然后将所有资金转移给我。最大的好处就是一切都是你的应用程序是真正的无状态的。
最后的选择是将你的java会话存储在分布式散列中。 Php和其他平台会将它们的会话转储到数据库中,可怜的人分发缓存,或者将它们转储到memcache中。用Java你可以做同样的事情。您也可以将会话对象放入分布式缓存中。这个选项已经失宠,因为人们认为现在我可以把我想要的任何东西都放到我的会话中,而且它将是无国界的。但是,与所有分布式缓存一样,传输速度也有限制,复制时间和有效负载大小相关联。这对于Java或Memcache来说是正确的。保持较小的会话,这很好。将所有内容投入会话中,然后回到使用单个服务器扩展问题的方式。更确切地说,它可能比如果你只是让你的服务器有状态,因为有时候网格计算比单服务器差。
更新:这是一个Java分布式缓存库列表你可以使用这样做:http://www.manageability.org/blog/stuff/distributed-cache-java
I try to understand this. Normally each time user login system, server side will create a session, while user client side there is cookie. When people talk about stateless serverside, stateful client side, what do they mean? server side no need use session keep track user? only use cookies on client side to check user? mean if I change server, user will not notice it and still can resume using the service?
How to configure spring-security to to do this?
Tracking a user across servers is tricky for true stateless server side. Most of the time things are sorta stateless server where logins are the exception. However, the big deal with stateless servers is that it makes clustering very simple so you can scale horizontally.
In Java you can make it stateless using either cookies to store credentials, or using distributed hashes. Generally, people accept using something like memcache and say they are stateless because the state is stored outside the webserver. That allows the user to use any webserver in the farm and still be safely authenticated. In Java we have plenty of distributed hash implementations that you can use with spring so you don't have to use memcache to do this.
The other option is to use cookies to store a cryptographic secure hashed ticket called an HMAC. Using cookies avoids using the Session so the webserver is stateless. With HMAC you can sign a block of data that cannot be forged or created by a 3rd party and is guaranteed to be originated from you. This doesn't require outside server resources (the cache) to authenticate the user so it can scale better, but there are some security concerns you have to be aware of. FYI Google uses this technique to scale horizontally. One HMAC's aren't like SHA1 or other cyrpto-hashes. They require a secret key that has to be on each server in the farm. That also has to be protected with symmetric encryption key to make sure it's stored securely on the server should someone get ahold of the file. Also HMACs information is stored in the clear so while you can put the username or email in the cookie the actual crypto hash is available to anyone. If someone were to get ahold of that cookie they could masquerade as that user. That's why HMACs are typically valid for only a certain amount of time. After that they expire so if someone does get ahold of them they can't access that account forever.
So HMACs have this weakness and you should be careful about what applications you use them in. It would be a really bad idea for Paypal to use this scheme because all I have to do is get your secure cookie then transfer all your funds to me. The big upside is everything is your app is truly stateless.
The final option is to store your java sessions in a distributed hash. Php and other platforms will dump their sessions in the database, the poor mans distributed cache, or dump them into memcache. With Java you can do the same thing. You can put your session objects into the distributed cache too. This option has fallen out of favor because people think "cool now I can dump whatever I want into my session and it will be stateless." However, as with all distributed caches there are limits on transfer speed, replication time, and payload size are linked. This is true for Java or Memcache. Keep your sessions small, and this works well. Throw everything into the session and you go right back to scaling issues you have with a single server. And really it's probably worse than if you had just made your server stateful because sometimes grid computing is worse than single server.
Update: Here are a list of Java distributed caching libraries you can use to do this:
http://www.manageability.org/blog/stuff/distributed-cache-java
这篇关于无状态服务器如何工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
