HTTP缓存的授权检查 [英] Authorization check for HTTP Caches
问题描述
对于 REST
服务,我有下面列出的Web API方法。这是为了获取InventoryAuditors的所有用户信息。只有经过授权的InventoryAuditor用户才能访问此资源。
I have Web API method as listed below, for a REST
service. This is for getting all users information for InventoryAuditors. Only authorized InventoryAuditor users can access this resource.
[RoutePrefix("api/users")]
public class UsersController : ApiController
{
[Authorize(Roles="InventoryAuditor")]
[Route("")]
[HttpGet]
public List<User> GetAllUsers()
{
//Return list of users
}
}
public class User
{
public int UserID { get; set; }
public string FirstName { get; set; }
}
问题
- 此资源是否可以缓存
共享缓存
(例如转发代理
和其他中间缓存)? - 如果是,共享缓存如何执行授权检查 - 缓存如何知道必须仅为InventoryAuditors提供资源?
- 标题如何使此授权表示可以缓存?
- Is this resource cacheable for
shared caches
(likeForward Proxies
and other intermediary caches)? - If yes, how does the shared cache perform authorization check – how does the cache know that the resource must be served only for InventoryAuditors?
- How the headers should look like to make this authorized representation cacheable?
或 HTTP缓存
在授权资源的情况下不是全部使用?
Or is HTTP Caching
not all to be used in case of authorized resources?
注意:文章网站作者和网站管理员的缓存教程说:
默认情况下,使用HTTP身份验证保护的页面被视为私有;它们不会被共享缓存保留。但是,您可以使用Cache-Control:public header将经过身份验证的页面公开;符合HTTP 1.1标准的缓存将允许缓存它们。
By default, pages protected with HTTP authentication are considered private; they will not be kept by shared caches. However, you can make authenticated pages public with a Cache-Control: public header; HTTP 1.1-compliant caches will then allow them to be cached.
参考
- https:// tools .ietf.org / html / rfc7235#section-4.2
- https://tools.ietf.org/html/rfc7234#section-3.2
- https://tools.ietf.org/html/rfc7234#section-5.2.2
- 超文本传输协议( HTTP / 1.1):缓存
- 功能:持票人认证 - 鱿鱼
- 愚蠢的网络缓存技巧
- https://tools.ietf.org/html/rfc7235#section-4.2
- https://tools.ietf.org/html/rfc7234#section-3.2
- https://tools.ietf.org/html/rfc7234#section-5.2.2
- Hypertext Transfer Protocol (HTTP/1.1): Caching
- Feature: Bearer Authentication- Squid
- Stupid Web Caching Tricks
推荐答案
我从阅读各种内容中了解到的资源是 - 以下标题可能有助于缓存授权资源。
What I understand from reading various resources is - following headers may help in caching authorized resources.
Cache-Control:public,max-age = 0
- Max-Age = 0:要求缓存使用
条件GET请求与服务器重新验证。在使用服务器重新验证时,
授权标头将发送到服务器。 - max-age = 0与must-revalidate不同。 max-age = 0允许缓存包含授权标头的
响应。
同时参考
这篇关于HTTP缓存的授权检查的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!