问题描述

对于 REST 服务，我有下面列出的Web API方法。这是为了获取InventoryAuditors的所有用户信息。只有经过授权的InventoryAuditor用户才能访问此资源。

I have Web API method as listed below, for a REST service. This is for getting all users information for InventoryAuditors. Only authorized InventoryAuditor users can access this resource.

[RoutePrefix("api/users")]
public class UsersController : ApiController
{
    [Authorize(Roles="InventoryAuditor")]
    [Route("")]
    [HttpGet]
    public List<User> GetAllUsers()
    {
        //Return list of users
    }

}

public class User
{
    public int UserID { get; set; }
    public string FirstName { get; set; }
}

问题

1. 此资源是否可以缓存共享缓存（例如转发代理和其他中间缓存）？


2. 如果是，共享缓存如何执行授权检查 - 缓存如何知道必须仅为InventoryAuditors提供资源？


3. 标题如何使此授权表示可以缓存？

1. Is this resource cacheable for shared caches (like Forward Proxies and other intermediary caches)?
2. If yes, how does the shared cache perform authorization check – how does the cache know that the resource must be served only for InventoryAuditors?
3. How the headers should look like to make this authorized representation cacheable?

或 HTTP缓存在授权资源的情况下不是全部使用？

Or is HTTP Caching not all to be used in case of authorized resources?

注意：文章说：

参考

1. https://tools.ietf.org/html/rfc7235#section-4.2
2. https://tools.ietf.org/html/rfc7234#section-3.2
3. https://tools.ietf.org/html/rfc7234#section-5.2.2
4. Hypertext Transfer Protocol (HTTP/1.1): Caching
5. Feature: Bearer Authentication- Squid
6. Stupid Web Caching Tricks

推荐答案

我从阅读各种内容中了解到的资源是 - 以下标题可能有助于缓存授权资源。

What I understand from reading various resources is - following headers may help in caching authorized resources.

Cache-Control：public，max-age = 0

1. Max-Age = 0：要求缓存使用
   条件GET请求与服务器重新验证。在使用服务器重新验证时，
   授权标头将发送到服务器。


2. max-age = 0与must-revalidate不同。 max-age = 0允许缓存包含授权标头的
   响应。

同时参考

这篇关于HTTP缓存的授权检查的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！