spring 使用 Jersey 的 RESTful Web 服务的会话管理
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12150076/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Session management for a RESTful Web Service using Jersey
提问by Ali
I am developing a Restful Web Service using Jerseybetween my Android, iPhoneapps and MySQL. I also use Hibernateto map the data to the database.
我正在我的应用程序和 MySQL之间使用 Jersey开发一个Restful Web 服务Android, iPhone。我还使用Hibernate将数据映射到数据库。
I have a sessionId (key). it is generated when user Login to the system.
我有一个 sessionId(密钥)。它是在用户登录系统时生成的。
In Userclass:
在User课堂上:
public Session daoCreateSession() {
if (session == null) {
session = new Session(this);
} else {
session.daoUpdate();
}
return session;
}
In SessionClass:
在Session课堂上:
Session(User user) {
this.key = UUID.randomUUID().toString();
this.user = user;
this.date = new Date();
}
void daoUpdate() {
this.key = UUID.randomUUID().toString();
this.date = new Date();
}
When user Sign in to the system successfully, I send this sessionId to the Mobile app client. Then when I want to get some information from database based on the logged in user, I check this Session keyas authentication in the REST Servicesfor every request.
当用户成功登录系统时,我将此 sessionId 发送到移动应用客户端。然后,当我想根据登录用户从数据库中获取一些信息时,我检查此会话密钥作为in the REST Services每个请求的身份验证。
For example for the list of project that user is involved in, I use client.GET(SERVER_ADDRESS/project/get/{SessionID})
例如对于用户参与的项目列表,我使用 client.GET(SERVER_ADDRESS/project/get/{SessionID})
insetead of client.GET(SERVER_ADDRESS/project/get/{username}).
插入client.GET(SERVER_ADDRESS/project/get/{username}).
And if it is not a valid session key, I'll send back to the client a 403 forbidden code. You can also take a look here
如果它不是有效的会话密钥,我会将 403 禁止代码发送回客户端。你也可以看看这里
The thing is I am not sure about my approach. what do you think about consin this approach considering for Jersey and a mobile app?
问题是我不确定我的方法。cons考虑到 Jersey 和移动应用程序,您对这种方法有何看法?
I have researched about Spring Security. I still don't know can I use it instead, if the Session keyapproach is not good. Can you help me?
我已经研究过Spring Security。如果Session key方法不好,我仍然不知道我可以用它代替。你能帮助我吗?
采纳答案by Nooshin
If you want to use SessionId then it should have a validation time, like this:
如果你想使用 SessionId 那么它应该有一个验证时间,像这样:
private static final int MINUTES = 90;
public boolean isValid() {
return System.currentTimeMillis() - date.getTime() < 1000 * 60 * MINUTES;
}
I also suggest you to take a look at Jersey security and session management.
我还建议您查看Jersey 安全性和会话管理。
Check these links for Spring security: Spring Security with Jerseyand Spring security application sample.
检查 Spring security 的这些链接: Spring Security with Jersey和Spring security application sample。
Look at Jersey rest API securityalso.
回答by EngineerBetter_DJ
This is a solved problem - servlet containers like Tomcat already do session management, and can distribute session state to other containers in the cluster either by broadcasting over TCP, or by using a shared data source like memcache.
这是一个已解决的问题 - 像 Tomcat 这样的 servlet 容器已经进行了会话管理,并且可以通过 TCP 广播或使用像 memcache 这样的共享数据源将会话状态分发到集群中的其他容器。
I'd suggest reading up on what's already available, rather than inadvertently reinventing the wheel. Additionally, this is going to become an incredibly hot table table if your application proves popular. How will you clear out old session IDs?
我建议阅读已有的内容,而不是无意中重新发明轮子。此外,如果您的应用程序被证明很受欢迎,这将成为一个非常热门的表格。您将如何清除旧的会话 ID?
