SOA服务设计/验证 [英] SOA Service Design / Authentication
问题描述
我是相当新的SOA,因此实验各地。
I'm rather new to SOA and therefore experimenting around.
目前,创建最大的问题对我的部分是身份验证,我对目前的它的思想涉及以下内容:
Currently, the part that creates the biggest problem to me is authentication, my current thought about it involves the following:
客户端发送某种认证消息认证/用户的服务,该服务查询数据库,如果用户发现和密码是有效的,它会与会话ID回应,该ID将在所有使用此客户端的进一步请求。
The client sends some kind of authentication message to the authentication / user service, this service queries the db and if the user is found and the password is valid, it will respond with a session id, this id will be used in all further requests of this client.
这似乎是相当好的给我,但我不知道我应该怎么处理请求的其他服务,我想到了三种不同的方法。
This seems rather ok to me but I don't know how I should handle the requests to other services, I thought of three different approaches.
-
每个服务请求的认证服务,如果会话是有效的,如果是这样,则用户是在什么样的角色,认证服务在db,并相应地应答。
Every service asks the authentication service if the session is valid and if so, what roles the user is in. The authentication service looks in the db and replies accordingly.
身份验证服务保持所有会话信息在RAM中,没有响应的分贝往返的请求。
The authentication service keeps all session information in ram and responds without the db roundtrip to the requests.
验证服务发送经授权的消息到ESB,ESB的转发此消息授权给每一个服务,这些服务进行缓存。没有进一步的请求到认证服务是必要的。如果用户注销或他的角色发生变化,另一条消息会被所有的服务周围的发送和处理。
The authentication service sends an authorized message to an esb, the esb forwards this authorized message to every service and these services cache it. No further requests to the authentication service would be necessary. If the user logs out or his roles change, another message would be send around and processed by all services.
我认为第一种方法产生压力太大的认证服务/ DB,但需要执行最少的力气。
I think the first approach creates too much stress on the authentication service / db but takes the least effort to implement.
第二个还是很容易实现,但对认证服务的压力几乎保持不变。
The second is still very easy to implement but the stress on the authentication service remains almost the same.
三是有点复杂来实现,但会减少响应时间,因为没有前往验证服务发生。虽然,如果有太多的会话信息这种方法会只是失败和可扩展性几乎不给出
The third is a little more complicated to implement but would has reduced response time as no trips to the authentication service take place. Though, if there are too much session information this approach would just fail and scalability is hardly given.
推荐答案
最好的办法应该是这样的,如果所有的服务都是内部的,
The best approach should be like this if all the services are internal,
- 身份验证服务发出令牌服务客户端。
- 服务的客户包括包裹在WS-Security或类似的东西SOA消息令牌。
- 服务提供的服务前,应与验证服务的身份验证令牌。
有关对外服务,我建议你看看像 SAML的联合解决方案。
For external services, I suggest you look at federated solutions like SAML.
这篇关于SOA服务设计/验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
