HTTP缓存的授权检查 [英] Authorization check for HTTP Caches

查看：101 发布时间：2018/7/9 15:43:38 rest http caching http-caching

本文介绍了HTTP缓存的授权检查的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

对于 REST 服务，我有下面列出的Web API方法。这是为了获取InventoryAuditors的所有用户信息。只有经过授权的InventoryAuditor用户才能访问此资源。

I have Web API method as listed below, for a REST service. This is for getting all users information for InventoryAuditors. Only authorized InventoryAuditor users can access this resource.

[RoutePrefix("api/users")]
public class UsersController : ApiController
{
    [Authorize(Roles="InventoryAuditor")]
    [Route("")]
    [HttpGet]
    public List<User> GetAllUsers()
    {
        //Return list of users
    }

}

public class User
{
    public int UserID { get; set; }
    public string FirstName { get; set; }
}

问题

此资源是否可以缓存共享缓存（例如转发代理和其他中间缓存）？

如果是，共享缓存如何执行授权检查 - 缓存如何知道必须仅为InventoryAuditors提供资源？

标题如何使此授权表示可以缓存？

Is this resource cacheable for shared caches (like Forward Proxies and other intermediary caches)?
If yes, how does the shared cache perform authorization check – how does the cache know that the resource must be served only for InventoryAuditors?
How the headers should look like to make this authorized representation cacheable?

或 HTTP缓存在授权资源的情况下不是全部使用？

Or is HTTP Caching not all to be used in case of authorized resources?

注意：文章网站作者和网站管理员的缓存教程说：

默认情况下，使用HTTP身份验证保护的页面被视为私有;它们不会被共享缓存保留。但是，您可以使用Cache-Control：public header将经过身份验证的页面公开;符合HTTP 1.1标准的缓存将允许缓存它们。

By default, pages protected with HTTP authentication are considered private; they will not be kept by shared caches. However, you can make authenticated pages public with a Cache-Control: public header; HTTP 1.1-compliant caches will then allow them to be cached.

参考