就 RESTful 和无状态而言,拥有诸如/currentUser 之类的 REST 资源是否合法? [英] Is it legal to have REST resource such as /currentUser in terms of RESTful and stateless?
问题描述
就 RESTful 和无状态而言,拥有像
In terms of RESTful and stateless it's pretty legal to have resource like
/users/123
但是,问题是:拥有省略用户 ID 并假设它是从用户会话在服务器上隐式解析的资源是否合法?例如:
But, the question is: is it legal to have resource that omits user id and assumes that it's implicitly resolved on the server from the user session? For example:
/loggedUser
/loggedUser
当标识符为 123 的用户获得授权时,该资源将指向/users/123.
That resource would point to /users/123 when user with identifier 123 is authorized.
推荐答案
选择资源定位器
使用 /me、/users/me、/users/myself、/users/current 或从 REST 的角度来看,使用类似的 URI 来标识与经过身份验证的用户相对应的资源是完全没问题的.根据 Roy Thomas Fielding 的论文,任何可以命名的信息都可以是资源:
Picking a resource locator
Using /me, /users/me, /users/myself, /users/current or similar URIs to identify a resource that corresponds to the authenticated user is perfectly fine from a REST perspective. According to Roy Thomas Fielding's dissertation, any information that can be named can be a resource:
REST 中信息的关键抽象是资源.任何可以命名的信息都可以是资源:文档或图像、时间服务(例如洛杉矶今天的天气")、其他资源的集合、非虚拟对象(例如人)等.换句话说,任何可能成为作者超文本引用目标的概念都必须符合资源的定义.资源是到一组实体的概念映射,而不是在任何特定时间点对应于映射的实体.[...]
The key abstraction of information in REST is a resource. Any information that can be named can be a resource: a document or image, a temporal service (e.g. "today's weather in Los Angeles"), a collection of other resources, a non-virtual object (e.g. a person), and so on. In other words, any concept that might be the target of an author's hypertext reference must fit within the definition of a resource. A resource is a conceptual mapping to a set of entities, not the entity that corresponds to the mapping at any particular point in time. [...]
当使用上面提到的 URI 时,你有一个 已认证用户的标识符,它总是标识一个已认证用户的概念,无论哪个用户已通过身份验证.
When using the URIs mentioned above, you have an identifier for the authenticated user and it will always identify the concept of an authenticated user, regardless of which user is authenticated.
无状态 约束与您的资源的识别方式无关.无状态约束是关于不在服务器端存储任何会话状态.在这种方法中,从客户端到服务器的每个请求都必须包含服务器理解的所有必要信息.
The stateless constraint is not related to how your resources are identified. The stateless constraint is about not storing any session state on server side. In this approach, each request from client to server must contain all the necessary information to be understood by the server.
请参阅以下来自 Fielding 论文的引述:
See que following quote from Fielding's dissertation:
[...] 从客户端到服务器的每个请求都必须包含理解请求所需的所有信息,并且不能利用服务器上存储的任何上下文.因此,会话状态完全保留在客户端上.[...]
[...] each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. Session state is therefore kept entirely on the client. [...]
例如,当以需要身份验证的受保护资源为目标时,每个请求都必须包含所有必要的数据以进行正确的身份验证/授权.
When targeting protected resources that require authentication, for example, every request must contain all necessary data to be properly authenticated/authorized.
这篇关于就 RESTful 和无状态而言,拥有诸如/currentUser 之类的 REST 资源是否合法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
