本文介绍了HTTP缓存的授权检查的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
对于 REST
服务,我有下面列出的Web API方法。这是为了获取InventoryAuditors的所有用户信息。只有经过授权的InventoryAuditor用户才能访问此资源。
I have Web API method as listed below, for a REST
service. This is for getting all users information for InventoryAuditors. Only authorized InventoryAuditor users can access this resource.
[RoutePrefix("api/users")]
public class UsersController : ApiController
{
[Authorize(Roles="InventoryAuditor")]
[Route("")]
[HttpGet]
public List<User> GetAllUsers()
{
//Return list of users
}
}
public class User
{
public int UserID { get; set; }
public string FirstName { get; set; }
}
问题
- 此资源是否可以缓存
共享缓存
(例如转发代理
和其他中间缓存)? - 如果是,共享缓存如何执行授权检查 - 缓存如何知道必须仅为InventoryAuditors提供资源?
- 标题如何使此授权表示可以缓存?
- Is this resource cacheable for
shared caches
(likeForward Proxies
and other intermediary caches)? - If yes, how does the shared cache perform authorization check – how does the cache know that the resource must be served only for InventoryAuditors?
- How the headers should look like to make this authorized representation cacheable?
或 HTTP缓存
在授权资源的情况下不是全部使用?
Or is HTTP Caching
not all to be used in case of authorized resources?
注意:文章说:
参考
- https://tools.ietf.org/html/rfc7235#section-4.2
- https://tools.ietf.org/html/rfc7234#section-3.2
- https://tools.ietf.org/html/rfc7234#section-5.2.2
- Hypertext Transfer Protocol (HTTP/1.1): Caching
- Feature: Bearer Authentication- Squid
- Stupid Web Caching Tricks
推荐答案
我从阅读各种内容中了解到的资源是 - 以下标题可能有助于缓存授权资源。
What I understand from reading various resources is - following headers may help in caching authorized resources.
Cache-Control:public,max-age = 0
- Max-Age = 0:要求缓存使用
条件GET请求与服务器重新验证。在使用服务器重新验证时,
授权标头将发送到服务器。 - max-age = 0与must-revalidate不同。 max-age = 0允许缓存包含授权标头的
响应。
同时参考
这篇关于HTTP缓存的授权检查的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!