問題描述
如何使用 SOAP 對用戶進行身份驗證?
How do I authenticate users with SOAP?
我是否必須要求用戶在每次 SOAP 請求時都發送他的用戶名和密碼,然后我根據數據庫對他進行身份驗證?
Will I have to require the user to send his username and password with every SOAP request and I authenticate him against the database?
這似乎不會引起不必要的查詢嗎?
Doesn't that seem to cause unnecessary queries?
推薦答案
一種更簡單的方法是在第一次查詢時進行身份驗證,在服務器端建立一個會話記錄,其中包含遠程 IP 地址和您提供給客戶端作為 authToken.然后讓客戶端在以后的查詢中傳遞這個 authToken.此 authToken 必須與您保留的有關客戶端的內部會話數據相匹配,但允許您避免為了進行身份驗證而必須往返數據庫.
An easier way would be to authenticate on the first query, build a session record on the server side containing the remote IP address and a token that you give to the client as an authToken. Then have the client pass this authToken in future queries. This authToken has to match the internal session data you keep about the client, but would allow you to avoid having to make round-trips to the database just to do authentication.
也就是說,@Marcus Adams 在下面關于無狀態性有一個很好的觀點.有人在推動各種SOAP 安全模型.WS-Security 是當前最先進的技術,在這里.它們都通過將身份驗證信息放入 SOAP 標頭中來工作——畢竟,這就是 SOAP 消息包含標頭和正文部分的原因.
That said, @Marcus Adams has a good point below with regard to stateless-ness. There are people out there pushing all sorts of SOAP security models. WS-Security is the current state of the art, here. They all work by putting authentication information in the SOAP header - after all, that's why a SOAP message contains both a header and a bodypart.
這篇關于如何使用 SOAP 進行身份驗證?的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!