天青：是否创建Web服务或不 [英] Azure: whether to create web services or not

问题描述

我开发钛合金具有连接到位于Windows Azure的数据库的应用程序。我想知道：

1. 是有必要从Azure中获取数据创建Web服务
   存储，如Windows Azure中已经提供 REST API 。


2. 什么是在我的情况下创建Web服务的优点和缺点是什么？


3. 哪种方式更preferable中的所有条款（包括性能，开销，安全等）创建Web服务或直接使用REST API？

解决方案

让我先说，我不熟悉的钛合金开始，但我看到它是一个移动开发框架。我会为将要打到存储服务的移动解决方案，我会回答这个问题。

一个 - 你可以在不作为代理中的Web服务Azure存储中的数据获取;不过，这也有一些缺点吧，我会下面碰。你当然可以打REST API直接对任何你从任何可以说话HTTPS和跨preT结果所需要的。

二 - 直接去的REST API为表的存储，队列和私人BLOB容器的问题是，调用者必须有凭据来获得数据。存储帐户只有一个类型的凭证，这是该帐户键和账户名。目前还不能在不同的服务或服务方面的细粒度控制，所以这意味着任何人都与这些凭证可以做他们想做的数据中删除帐户（虽然他们当然可以删除内部数据的帐户总之什么该帐户，甚至与他们的整个撕开电影收藏更换您的数据）。所以，如果您在您的手机客户端code您的凭据，他们会暴露在外，这绝对不推荐。

对此的一个选择是使用共享访问签名（SAS）。一个SAS报价产生与该证书签名，并可以用于在一定的时间周期是有效的URL。这里的问题是，你会需要的东西生成客户端的SAS的URL，这意味着你将拥有一个Web服务的地方。然而，可以减少次数Web服务被击中，因为SAS将产生与用于一段时间，然后将需要再次打服务来得到另一个量。

我要提醒的想法，通过一个SAS生成的URL仅仅是一个URL这种方法。任何与此URL必须做在创建时被分配到SAS的任何权利的能力。当然，如果你正在这些电话HTTPS（你应该是）那么签名部分被加密;但是，要知道，中间人攻击，实际上可能仍时有发生。为了对付这种人往往真正范围SAS过期时间在几秒或几分钟，但在这一点上，这取决于您的负载，您可以通过Web服务是一样好路由一切反正是舒服多了认证正在发生。例如，如果你有疑问的非常小的负载或时间比你想要的SAS继续有效，这可能不是一个很好的选择。我见过用巨大的成功，所以不要把我要小心，因为一个标志这是一个坏主意，你只需要知道这意味着什么用它们这种代客键的格局。

三 - 如果你可以卸载一些加工到其他服务器，然后这是伟大的。安全明智的你会更安全要经过它处理身份验证（直接或通过身份提供者）的Web服务。您可以控制​​所有访问你的系统的方式。性能方面，如果你再转身，并呼吁关闭的表的存储，你会看到一个打击，因为有到位多跳。这可以为您服务水平来减轻一些与缓存（这是一个完全不同的主题）。

您可能想看看一个选项是使用的Azure移动服务 。这提供了一个后端你。在默认情况下它使用SQL数据库，但与新定制API功能你可以去了，做任何你从节点剧本需要，包括打表存储API（见本的后由克里斯·莱纳上尉的例子）。这种方法将消除你的，你运行，因为移动服务将成为该角色的Web服务需要，但你要知道的定价模式，并以此为基础进行自己的情景一些比较。

I am developing an application on Titanium Alloy that has connectivity to database located at windows azure. I want to know:

1. is it necessary to create web services for getting data from Azure storage, as Windows Azure already provides REST API.
2. What are the pros and cons of creating Web Services in my case ?
3. which way is more preferable in all the terms(including performance, overhead, security, etc...) creating Web Services or using REST API directly ?

解决方案

Let me start by saying I'm not familiar with Titanium Alloy, but I see that it is a mobile development framework. I'll answer this as I would for any mobile solution that would want to hit the Storage services.

One - You can get at the data in Azure storage without a web service serving as a proxy; however, this has some drawbacks to it which I'll touch on below. You can certainly hit the REST API direct for anything you need from anything that can speak HTTPS and interpret the results.

Two - The issue with going direct to the REST API for Table Storage, Queues and private BLOB containers is that the caller has to have credentials to get at the data. Storage accounts have only one type of credential, and that is the account key and account name. There isn't currently fine grained control over different services or aspects of the services, so this means that anyone with these credentials can do anything they want to your data in that account short of deleting the account (though they can certainly delete the data within the account, or even replace your data with their entire ripped Movie collection). So, if you include your credentials in your mobile client code they are exposed and that's definitely not recommended.

An option to this is to use Shared Access Signatures (SAS). An SAS offers generates a URL that is signed with the credentials and can be valid for a certain period of time. The issue here is that you would need something to generate the SAS urls for the clients, which means you'll have a web service somewhere. However, you could reduce the amount of times the web service is hit because the SAS would generate and be used for some period of time before you would need to hit the service again to get another one.

I'll caution this approach with the idea that the URL generated by for a SAS is just a URL. Anyone with this URL has the ability to do whatever rights were assigned to the SAS when it was created. Granted, if you are making these calls HTTPS (and you should be) then the signature portion is encrypted; however, be aware that man in the middle attacks could actually still occur. To deal with this people often really scope the SAS expiration time to seconds or minutes, but then at that point, depending on your load, you may be just as well to route everything through your web service anyway and be that much more comfortable that authentication is occurring. For example, if you have very little load or time between queries is longer than you want the SAS to remain valid this may not be a good fit. I've seen this "valet key" pattern used to great success so don't take my caution as a sign it's a bad idea, you just need to be aware of what it means to use them.

Three - If you can offload some of the processing to other servers then that's great. Security wise you are going to be more secure to go through your web service which is handling authentication (either directly or through identity providers). You'll control all access to your system that way. Performance wise, if you are then turning around and calling off to the Table Storage you'll see a hit because there are multiple hops in place. This can be mitigated some with caching at your service level (which is a completely different topic).

One option you may want to look at is using Azure Mobile Services. This provides a back end for you. By default it uses SQL Database, but with the new Custom API feature you can go off and do whatever you need to from the node script, including hitting the table storage APIs (see this post by Chris Risner for examples). This approach would remove your need for a web service that you run since the Mobile Services would serve that role, but you'll want to be aware of the pricing model and do some comparisons based on your own scenario.

这篇关于天青：是否创建Web服务或不的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！