問題描述

如何使用 SOAP 對(duì)用戶進(jìn)行身份驗(yàn)證?

How do I authenticate users with SOAP?

我是否必須要求用戶在每次 SOAP 請(qǐng)求時(shí)都發(fā)送他的用戶名和密碼，然后我根據(jù)數(shù)據(jù)庫(kù)對(duì)他進(jìn)行身份驗(yàn)證?

Will I have to require the user to send his username and password with every SOAP request and I authenticate him against the database?

這似乎不會(huì)引起不必要的查詢嗎?

Doesn't that seem to cause unnecessary queries?

推薦答案

一種更簡(jiǎn)單的方法是在第一次查詢時(shí)進(jìn)行身份驗(yàn)證，在服務(wù)器端建立一個(gè)會(huì)話記錄，其中包含遠(yuǎn)程 IP 地址和您提供給客戶端作為 authToken.然后讓客戶端在以后的查詢中傳遞這個(gè) authToken.此 authToken 必須與您保留的有關(guān)客戶端的內(nèi)部會(huì)話數(shù)據(jù)相匹配，但允許您避免為了進(jìn)行身份驗(yàn)證而必須往返數(shù)據(jù)庫(kù).

An easier way would be to authenticate on the first query, build a session record on the server side containing the remote IP address and a token that you give to the client as an authToken. Then have the client pass this authToken in future queries. This authToken has to match the internal session data you keep about the client, but would allow you to avoid having to make round-trips to the database just to do authentication.

也就是說(shuō)，@Marcus Adams 在下面關(guān)于無(wú)狀態(tài)性有一個(gè)很好的觀點(diǎn).有人在推動(dòng)各種SOAP 安全模型.WS-Security 是當(dāng)前最先進(jìn)的技術(shù)，在這里.它們都通過將身份驗(yàn)證信息放入 SOAP 標(biāo)頭中來(lái)工作——畢竟，這就是 SOAP 消息包含標(biāo)頭和正文部分的原因.

That said, @Marcus Adams has a good point below with regard to stateless-ness. There are people out there pushing all sorts of SOAP security models. WS-Security is the current state of the art, here. They all work by putting authentication information in the SOAP header - after all, that's why a SOAP message contains both a header and a bodypart.

這篇關(guān)于如何使用 SOAP 進(jìn)行身份驗(yàn)證?的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！