我需要一些澄清。我一直在阅读关于REST和构建基于REST的应用程序的书籍。根据维基百科,REST本身被定义为具象状态传输。因此,我不理解所有这些无国籍的官样文章,每个人都在不停地吐出来。
从维基百科:
在任何特定的时间,客户端可以处于之间的转换
应用程序处于“静止”状态。处于休息状态的客户端可以
与用户交互,但不创建负载,也不消耗每个客户端
服务器集或网络上的存储。
他们只是说不要使用会话/应用程序级数据存储吗?
我知道REST的一个目标是使URI访问一致且可用,例如,不是在帖子中隐藏分页请求,而是使请求的页码成为get URI的一部分。对我来说很有道理。但是,说每个客户端数据(会话数据)都不应该存储在服务器端似乎有点过头了。
如果我有一个消息队列,而我的用户想要读取消息,但在读取消息时,又想在会话期间阻止某些发送者的消息通过,该怎么办?将其存储在服务器端的某个位置,并让服务器只发送未被用户阻止的消息(或消息ID),这难道不合理吗?
每次请求新的消息列表时,我真的必须发送整个消息发送者列表来阻止吗?与我相关的消息列表在一开始就不应该是公开可用的资源。
我只是想理解一下。谁来澄清一下。
更新:
我发现了一个堆栈溢出的问题,它的答案并不能让我一直走到那里:
如何在REST中管理状态
这说明客户端状态很重要,应该在每个请求上都传输....Ugg . .看起来开销很大…这样对吗??
Stateless means the state of the service doesn’t persist between subsequent requests and response. Each request carries its own user credentials and is individually authenticated. But in stateful each request is known from any prior request. All stateful requests are session-oriented i.e. each request need to know and retain changes made in previous requests.
Banking application is an example of stateful application. Where user first login then make transaction and logs out. If after logout user will try to make the transaction, he will not be able to do so.
Yes, http protocol is essentially a stateless protocol but to make it stateful we make us of HTTP cookies. So, is SOAP by default. But it can be make stateful likewise, depends upon framework you are using.
HTTP is stateless but still we can maintain session in our java application by using different session tracking mechanism.
Yes, We can also maintain session in webservice whether it is REST or SOAP. It can be implemented by using any third party library or you can implement by our own.
摘自http://gopaldas.org/webservices/soap/webservice-is-stateful-or-stateless-rest-soap
他们只是说不要使用会话/应用程序级数据存储吗?
不。他们不是在用一种无关紧要的方式说。
他们说不要定义“会话”。不登录。不注销。为请求提供凭据。每个请求都是独立的。
您仍然有数据存储。您仍然拥有身份验证和授权。您只是不需要浪费时间建立会话和维护会话状态。
关键在于,每个请求(a)都是完全独立的,(b)可以简单地外包给一个巨大的并行服务器群,而不需要任何实际工作。Apache或Squid可以盲目且成功地传递RESTful请求。
如果我有一个消息队列,而我的用户想要读取消息,但在读取消息时,又想在会话期间阻止某些发送者的消息通过,该怎么办?
如果用户需要一个过滤器,那么只需在每个请求上提供过滤器。
难道……不合理吗?服务器是否只发送未被用户阻止的消息(或消息ID) ?
是的。在RESTful URI请求中提供筛选器。
每次请求新的消息列表时,我真的必须发送整个消息发送者列表来阻止吗?
是的。这个“要阻止的消息发送者列表”可以有多大?一个简短的PK列表?
GET请求可以非常大。如果有必要,您可以尝试POST请求,尽管它听起来像一种查询。
Statelessness means that every HTTP request happens in complete isolation. When the client makes an HTTP request, it includes all the information necessary for the server to fulfill that request. The server never relies on information from previous requests. If that information was important, the client would have to send it again in subsequent request. Statelessness also brings new features. It’s easier to distribute a stateless application across load-balanced servers. A stateless application is also easy to cache.
实际上有两种状态。客户机上的应用程序状态和服务器上的资源状态。
web服务只需要在实际发出请求时关心应用程序的状态。其他时候,它甚至不知道你的存在。这意味着无论客户端何时发出请求,都必须包含服务器处理请求所需的所有应用程序状态。
每个客户机的资源状态都是相同的,它的适当位置在服务器上。当您将图片上传到服务器时,您创建了一个新资源:新图片有自己的URI,可以作为未来请求的目标。您可以通过HTTP协议获取、修改和删除该资源。
在开发RESTful服务时,为了登录,您需要对用户进行身份验证。一种可能的选择是在每次执行用户操作时发送用户名和密码。在这种情况下,服务器将根本不存储会话数据。
Another option is to generate a session-id on the server and send it to the client, so the client will be able to send session-id to the server and authenticate with that. This is much much safer than sending username and password each time, since if somebody gets their hand on that data, then he/she can impersonate the user until the username and password is changed. You may say that even the session id can be stolen and the user will be impersonated in that case and you are right. However, in this case impersonating the user will only be possible while the session id is valid.
如果RESTful API需要用户名和密码才能更改用户名和密码,那么即使有人使用会话id冒充用户,黑客也无法锁定真正的用户。
会话id可以通过单向锁定(加密)某个标识用户的东西并将时间添加到会话id中来生成,这样就可以定义会话的过期时间。
The server may or may not store session ids. Of course, if the server stores the session id, then it would violate the criteria defined in the question. However, it is only important to make sure that the session id can be validated for the given user, which does not necessitate storing the session id. Imagine a way that you have a one-way-encryption of email, user id and some user-specific private data, like favorite color, this would be the first level and somehow adding the username date to the encrypted string and apply a two-way encryption. As a result when a session id is received, the second level could be decrypted to be able to determine which username the user claims to be and whether the session time is right. If this is valid, then the first level of encryption could be validated by doing that encryption again and checking whether it matches the string. You do not need to store session data in order to achieve that.
