许可证和会话使用RESTful方式 [英] Licenses and sessions the RESTful way
问题描述
此问题越过我的脑海之后,我看到这篇文章:
<一href=\"http://stackoverflow.com/questions/544474/can-you-help-me-understand-this-common-rest-mistakes-sessions-are-irrelevant\">Common REST误区:会话无关
This question crossed my mind after I read this post: "Common REST Mistakes: Sessions are irrelevant"
如果会议确实在RESTful应用程序望而却步。你会如何处理这样的应用程序许可证。我具体指的是并发许可证模式,而不是命名许可证。即客户购买点¯x许可证,这意味着应用程序最多可以允许X用户在同时登录。这意味着应用程序必须持有状态的用户当前登录。
If sessions are indeed discouraged in a RESTful application. How would you handle licenses in such application. I'm specifically referring to concurrent licenses model and not named licenses. i.e. the customer buys X licenses which means the application may allow up to X users to be logged in simultaneously. Which means that the application must hold a state for current logged in users.
我知道我可以创建一个名为许可资源,这将设置一个cookie或生成一个唯一的ID,然后客户端将必须与每个请求发送。但它一样创建一个会话,对吧?
I know I can create a resource called licenses, which will set a cookie or generate a unique ID, and then the client will have to send it with every request. But it's the same as creating a session, right?
如果我将采用无状态的方法,并要求客户为每个请求创建一个身份验证令牌如何将应用程序知道什么时候消耗和释放许可证的客户端?
If I'll adopt the stateless approach and ask the client to create an authentication token for every request how will the application know when to consume and release license for that client?
是否有其他选择吗?特别是一个更加具有REST风格的选择吗?
Is there an alternative? specifically a more RESTful alternative?
推荐答案
让我试着连点对你来说,假设我间$ P $正确PTED你的问题。
您发布的链接有一个有效的答案,每个请求应使用HTTP认证。如果您需要许可证的理念来维护你的用户一定境界,你可以最有可能链接到用户。你有一个(认证)用户名去了。你只需要调用该控制器为每个请求,并保存其状态。有你有你的会话。
Let me try to connect the dots for you, assuming I interpreted your question correctly. The link you posted has a valid answer, each request should use a HTTP auth. If you need the concept of licences to maintain a certain state for your user, you can most likely link that to the user. You have a (verified) username to go by. You just need to invoke that controller for each request and save its state. There you have your session.
曲奇输入绝不应受信任为任何重要信息,但也可以是像一个安全令牌额外验证非常有用的。我认为加上一个随机安全令牌领域到您的现场环节将是宁静的方式来表示。它应与会话过期的,当然。
Cookie input should never be trusted for any critical information, but can be very useful for extra verification like a security token. I think adding a random security token field to your on-site links would be the restful approach to that. It should expire with the 'session', of course.
这篇关于许可证和会话使用RESTful方式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
