如何使用 SOAP 进行身份验证?
如何使用 SOAP 对用户进行身份验证?
How do I authenticate users with SOAP?
我是否必须要求用户在每次 SOAP 请求时都发送他的用户名和密码,然后我根据数据库对他进行身份验证?
Will I have to require the user to send his username and password with every SOAP request and I authenticate him against the database?
这似乎不会引起不必要的查询吗?
Doesn't that seem to cause unnecessary queries?
推荐答案
一种更简单的方法是在第一次查询时进行身份验证,在服务器端建立一个会话记录,其中包含远程 IP 地址和您提供给客户端作为 authToken.然后让客户端在以后的查询中传递这个 authToken.此 authToken 必须与您保留的有关客户端的内部会话数据相匹配,但允许您避免为了进行身份验证而必须往返数据库.
An easier way would be to authenticate on the first query, build a session record on the server side containing the remote IP address and a token that you give to the client as an authToken. Then have the client pass this authToken in future queries. This authToken has to match the internal session data you keep about the client, but would allow you to avoid having to make round-trips to the database just to do authentication.
也就是说,@Marcus Adams 在下面关于无状态性有一个很好的观点.有人在推动各种SOAP 安全模型.WS-Security 是当前最先进的技术,在这里.它们都通过将身份验证信息放入 SOAP 标头中来工作——毕竟,这就是 SOAP 消息包含标头和正文部分的原因.
That said, @Marcus Adams has a good point below with regard to stateless-ness. There are people out there pushing all sorts of SOAP security models. WS-Security is the current state of the art, here. They all work by putting authentication information in the SOAP header - after all, that's why a SOAP message contains both a header and a bodypart.
相关文章