简体繁体 English

我应该在客户端/服务器应用程序中使用套接字？

[英]Should I use sockets in client/server application?

原文 2016-01-19 19:18:41 1 3 java/ sockets/ security

Similar: Socket vs HTTP based communication for a mobile client/server application 类似：针对移动客户端/服务器应用程序的基于套接字和HTTP的通信

I'm currently working on a Java client-server based program (with the intention to turn it into an Android app). 我目前正在开发基于Java客户端服务器的程序（打算将其转换为Android应用程序）。 I've successfully implemented the server engine, and the clients beautifully connects and exchange data. 我已经成功实现了服务器引擎，客户端可以精美地连接和交换数据。 My implementation is base upon this answer of mine. 我的实施基于我的这个答案。

The drawback is, all communication is done directly with sockets, no protocol at all. 缺点是，所有通信都直接使用套接字完成，根本没有协议。 Is this the accepted, secure - or professional - way of client-server communication? 这是客户 - 服务器通信的公认，安全或专业方式吗？

Even further, in case I want to accept credit cards, PayPal or Google Wallet, will my app be compliant with their security standards as I don't use SSL? 更进一步，如果我想接受信用卡，PayPal或Google电子钱包，我的应用程序是否符合他们的安全标准，因为我不使用SSL？ What about if I'll use my own level of security, say javax.crypto.CipherOutputStream ? 如果我将使用自己的安全级别，比如说javax.crypto.CipherOutputStream怎么办？

3 个解决方案

Your question is on the verge of being too broad, but anyway ;-) As we don't know the "quality" and depth of your own socket based communication protocol it is hard to tell if it is able to "compete" with other protocols. 您的问题即将过于宽泛，但无论如何;-)由于我们不知道您自己的基于套接字的通信协议的“质量”和深度，因此很难判断它是否能够与其他人“竞争”协议。 So lets just assume that you took care of the necessary stuff and your server is able to handle many parallel connections and follows "best-practice". 因此，我们假设您已经处理了必要的事情，并且您的服务器能够处理许多并行连接并遵循“最佳实践”。

I see advantages in implementing ones own protocol, you already mentioned them: 我看到实现自己的协议的优点，你已经提到过：

it is based on something you already know and feel comfortable with (sockets) 它基于你已经知道并且感觉舒适的东西（插座）
you have full control and don't depend on any framework 你有完全的控制权，不依赖任何框架
you know the "guts" of your implementation and are the first authority when questions arise 你知道你的实施的“胆量”，并且是问题出现时的第一个权威

But there are certainly disadvantages and risks: 但肯定有缺点和风险：

not only can you do everything, this can soon become a must 你不仅可以做任何事情，这很快就会成为必须
your protocol needs to work well outside laboratory conditions. 您的协议需要在实验室条件之外正常工作。 In the real world you won't see the quality of wired or Wifi networks. 在现实世界中，您将看不到有线或Wifi网络的质量。 2G/3G/4G networks can be unstable, interruptions occur and transfer speeds can be slow 2G / 3G / 4G网络可能不稳定，发生中断并且传输速度可能很慢
Some environments might have problems with non-http(s) traffic 某些环境可能存在非http（s）流量问题

If your reason for implementing your own socket based protocol was efficiency there are other protocols that are not "chatty" and work on a bytelevel. 如果您实现自己的基于套接字的协议的原因是效率，那么其他协议不是“健谈”并且在字节级别上工作。 You could have a look at MQTT for example if you really consider a replacement. 例如，如果您真的考虑更换，可以查看MQTT。

If you are not allergic to http you can have a look at REST over https. 如果您对http不敏感，可以查看REST over https。

But no matter which protocol you consider "fit" for the main communication of your application: you can always mix in http(s) for services that demand for this. 但无论您认为哪种协议适合您的应用程序的主要通信：您可以始终将http（s）混合到需要此服务的服务中。

WebSocket is a low-level protocol, think of it as a socket on the web. WebSocket是一种低级协议，可以将其视为Web上的套接字。 Every thing, including a simple request/response design pattern, how to create/update/delete resources need, status codes etc to be build on top of it. 每件事，包括简单的请求/响应设计模式，如何创建/更新/删除资源需求，状态代码等都要构建在它之上。 All of these are well defined for HTTP. 所有这些都为HTTP定义良好。

WebSocket is a stateful protocol where as HTTP is a stateless protocol. WebSocket是一种有状态协议，其中HTTP是无状态协议。

WebSocket connections are know to scale vertically on a single server where as HTTP can scale horizontally. WebSocket连接可以在单个服务器上垂直扩展，因为HTTP可以水平扩展。 There are some proprietary solutions for WebSocket horizontal scaling, but they are not standards-based. WebSocket水平扩展有一些专有解决方案，但它们不是基于标准的。 HTTP comes with a lot of other goodies such as caching, routing, multiplexing, gzipping and lot more. HTTP带来了许多其他好东西，如缓存，路由，多路复用，gzipping等等。 All of these need to be defined on top of WebSocket. 所有这些都需要在WebSocket之上定义。 How will Search Engine Optimization (SEO) work with WebSocket ? 搜索引擎优化（SEO）如何与WebSocket一起使用？ Works very well for HTTP URLs. 适用于HTTP URL。 All proxy, DNS, firewalls are not yet fully aware of WebSocket traffic. 所有代理，DNS，防火墙尚未完全了解WebSocket流量。 They allow port 80 but might restrict traffic by snooping on it first. 它们允许端口80，但可能首先通过窥探来限制流量。 Security with WebSocket is all-or-nothing approach. WebSocket的安全性是全有或全无的方法。

A better approach might be to replace the sockets based connection with a RESTFul API that performs the same functions. 更好的方法可能是使用执行相同功能的RESTFul API替换基于套接字的连接。 Using that approach you will be able to use PayPal and accept credits. 使用该方法，您将能够使用PayPal并接受信用。 Also, you can more standard methods, like Ouath2, to handle authentication. 此外，您可以使用更多标准方法（如Ouath2）来处理身份验证。 It also works well with Android, to have a RESTful api to communicate with the server component. 它也适用于Android，可以使用RESTful api与服务器组件进行通信。