HTTP 缓存的授权检查
Authorization check for HTTP Caches
我有下面列出的 Web API 方法,用于 REST 服务。这是为了获取 InventoryAuditors 的所有用户信息。只有授权的 InventoryAuditor 用户才能访问此资源。
[RoutePrefix("api/users")]
public class UsersController : ApiController
{
[Authorize(Roles="InventoryAuditor")]
[Route("")]
[HttpGet]
public List<User> GetAllUsers()
{
//Return list of users
}
}
public class User
{
public int UserID { get; set; }
public string FirstName { get; set; }
}
问题
- 此资源是否可缓存
shared caches(如 Forward Proxies 和其他中间缓存)?
- 如果是,共享缓存如何执行授权检查——缓存如何知道资源必须仅供 InventoryAuditors 使用?
- headers 应该如何使此授权表示可缓存?
或者HTTP Caching不是所有的资源都可以在授权的情况下使用吗?
注意:文章"Caching Tutorial for Web Authors and Webmasters"说:
By default, pages protected with HTTP authentication are considered private; they will not be kept by shared caches. However, you can make authenticated pages public with a Cache-Control: public header; HTTP 1.1-compliant caches will then allow them to be cached.
参考资料
来自您提供的link
In particular, a response with either "max-age=0, must-revalidate" or "s-maxage=0" cannot be used to satisfy a subsequent request without revalidating it on the origin server.
转发 Web 代理应该能够检查响应的 Cache-Control header 以确定它是否可用于服务器后续请求
一项简单的测试表明,对 asp.net 中授权请求的响应具有以下 header 集:
Cache-Control: private, s-maxage=0
这是根据协议,响应缓存的实际处理方式取决于您使用的网络服务器。
更新
1) 此资源是否可用于共享缓存(如转发代理和其他中间缓存)?
否
"Cache-control: private
Indicates that all or part of the response message is intended for a single user and MUST NOT be cached by a shared cache. This allows an
origin server to state that the specified parts of the
response are intended for only one user and are not a valid response for requests by other users. A private (non-shared) cache MAY
cache the response.*"
https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1
2) 如果是,共享缓存如何执行授权检查——缓存如何知道资源必须仅供 InventoryAuditors 使用?
不适用
3) 在共享缓存中实现缓存此类授权内容的不同方法有哪些?
您可以通过编程方式将 headers 设置为您想要操纵共享代理的缓存行为的任何内容
proxy-revalidate
The proxy-revalidate directive has the same meaning as the must- revalidate directive, except that it does not apply to non-shared
user agent caches. It can be used on a response to an authenticated
request to permit the user's cache to store and later return the
response without needing to revalidate it (since it has already been
authenticated once by that user), while still requiring proxies that
service many users to revalidate each time (in order to make sure
that each user has been authenticated). Note that such authenticated
responses also need the public cache control directive in order to
allow them to be cached at all.*
https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.4
我通过阅读各种资源了解到 - 遵循 headers 可能有助于缓存授权资源。
Cache-Control: public, max-age=0
- Max-Age = 0:需要缓存重新验证服务器使用
条件 GET 请求。在与服务器重新验证时,
授权 headers 将被发送到服务器。
- max-age=0 不同于 must-revalidate。 max-age=0 允许缓存
还包含授权 headers 的响应。
另请参阅
我有下面列出的 Web API 方法,用于 REST 服务。这是为了获取 InventoryAuditors 的所有用户信息。只有授权的 InventoryAuditor 用户才能访问此资源。
[RoutePrefix("api/users")]
public class UsersController : ApiController
{
[Authorize(Roles="InventoryAuditor")]
[Route("")]
[HttpGet]
public List<User> GetAllUsers()
{
//Return list of users
}
}
public class User
{
public int UserID { get; set; }
public string FirstName { get; set; }
}
问题
- 此资源是否可缓存
shared caches(如Forward Proxies和其他中间缓存)? - 如果是,共享缓存如何执行授权检查——缓存如何知道资源必须仅供 InventoryAuditors 使用?
- headers 应该如何使此授权表示可缓存?
或者HTTP Caching不是所有的资源都可以在授权的情况下使用吗?
注意:文章"Caching Tutorial for Web Authors and Webmasters"说:
By default, pages protected with HTTP authentication are considered private; they will not be kept by shared caches. However, you can make authenticated pages public with a Cache-Control: public header; HTTP 1.1-compliant caches will then allow them to be cached.
参考资料
来自您提供的link
In particular, a response with either "max-age=0, must-revalidate" or "s-maxage=0" cannot be used to satisfy a subsequent request without revalidating it on the origin server.
转发 Web 代理应该能够检查响应的 Cache-Control header 以确定它是否可用于服务器后续请求
一项简单的测试表明,对 asp.net 中授权请求的响应具有以下 header 集:
Cache-Control: private, s-maxage=0
这是根据协议,响应缓存的实际处理方式取决于您使用的网络服务器。
更新
1) 此资源是否可用于共享缓存(如转发代理和其他中间缓存)?
否
"Cache-control: private Indicates that all or part of the response message is intended for a single user and MUST NOT be cached by a shared cache. This allows an origin server to state that the specified parts of the response are intended for only one user and are not a valid response for requests by other users. A private (non-shared) cache MAY cache the response.*"
https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1
2) 如果是,共享缓存如何执行授权检查——缓存如何知道资源必须仅供 InventoryAuditors 使用?
不适用
3) 在共享缓存中实现缓存此类授权内容的不同方法有哪些?
您可以通过编程方式将 headers 设置为您想要操纵共享代理的缓存行为的任何内容
proxy-revalidate The proxy-revalidate directive has the same meaning as the must- revalidate directive, except that it does not apply to non-shared user agent caches. It can be used on a response to an authenticated request to permit the user's cache to store and later return the response without needing to revalidate it (since it has already been authenticated once by that user), while still requiring proxies that service many users to revalidate each time (in order to make sure that each user has been authenticated). Note that such authenticated responses also need the public cache control directive in order to allow them to be cached at all.* https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.4
我通过阅读各种资源了解到 - 遵循 headers 可能有助于缓存授权资源。
Cache-Control: public, max-age=0
- Max-Age = 0:需要缓存重新验证服务器使用 条件 GET 请求。在与服务器重新验证时, 授权 headers 将被发送到服务器。
- max-age=0 不同于 must-revalidate。 max-age=0 允许缓存 还包含授权 headers 的响应。
另请参阅