rest - REST 身份验证具体用在哪里？

Question

我已经阅读了几个小时，但未能找到清晰易懂的解释。 REST 身份验证到底用在哪里？

• 在浏览器和服务器之间(以替换 PHP session /浏览器 cookie 组合之类的内容)？
• 在服务器和另一个服务器之间？
• 同一服务器上的节点/模块之间？

假设我正在从头开始开发一个系统，而不是在服务器端使用一些整体式 MVC，我想使用 twitter 的示例 - 制作“所有东西 REST” - 分布式独立模块系统通过相互通信休息。那么浏览器和服务器之间是否也可以使用 REST(身份验证)？

Answer 1

In order to further improve behavior for Internet-scale requirements, we add layered system constraints (Figure 5-7). As described in Section 3.4.2, the layered system style allows an architecture to be composed of hierarchical layers by constraining component behavior such that each component cannot "see" beyond the immediate layer with which they are interacting. By restricting knowledge of the system to a single layer, we place a bound on the overall system complexity and promote substrate independence. Layers can be used to encapsulate legacy services and to protect new services from legacy clients, simplifying components by moving infrequently used functionality to a shared intermediary. Intermediaries can also be used to improve system scalability by enabling load balancing of services across multiple networks and processors.

The primary disadvantage of layered systems is that they add overhead and latency to the processing of data, reducing user-perceived performance [32]. For a network-based system that supports cache constraints, this can be offset by the benefits of shared caching at intermediaries. Placing shared caches at the boundaries of an organizational domain can result in significant performance benefits [136]. Such layers also allow security policies to be enforced on data crossing the organizational boundary, as is required by firewalls [79].

The combination of layered system and uniform interface constraints induces architectural properties similar to those of the uniform pipe-and-filter style (Section 3.2.2). Although REST interaction is two-way, the large-grain data flows of hypermedia interaction can each be processed like a data-flow network, with filter components selectively applied to the data stream in order to transform the content as it passes [26]. Within REST, intermediary components can actively transform the content of messages because the messages are self-descriptive and their semantics are visible to intermediaries.

你真的应该阅读layered system菲尔丁论文的一部分。

Where exactly is REST authentication used?

它在 REST 客户端和 REST 服务之间使用(客户端向服务发送包含身份验证 header 的请求)。 REST 客户端可以位于浏览器上、另一台服务器上、您的服务器上(例如负载均衡器)等......这取决于当前上下文什么是 REST 客户端以及什么是 REST 服务。通过 REST，您有一个层层次结构，其中上层包含调用下一层服务的客户端，依此类推...此结构的组件(客户端、服务)不知道该层的存在层次结构...

例如，代理可能会在未经授权的情况下将请求中继到下一层，因为授权将由其他组件完成。您可能会对客户端进行身份验证并添加具有用户身份或权限的辅助身份验证 header ，因此下面的层不必再次处理用户名和密码。有很多选择...

只是谈谈oauth。它用于授权第三方(不受信任的客户端)访问用户帐户。因此，在这种情况下，客户端在不同的服务器上运行，并且它发送用户注册的访问 token (而不是用户名和密码)。此第 3 方客户端使用该用户权限的允许部分。许多用户可以使用不同的访问 token ofc 注册相同的第 3 方客户端。