可扩展,安全且易于使用的Web服务的特征是什么?
[英]What are the characteristics of a Scalable, Secure and Easy to Use Web Services?
问题描述
Our application currently exposes web services built with WSDL 1.1 and SOAP 1.1 following the w3c standards below: 
我们的应用程序当前遵循以下w3c标准公开使用WSDL 1.1和SOAP 1.1构建的Web服务:
http://schemas.xmlsoap.org/soap/http is the WSDL 1.1 binding for the SOAP 1.1 HTTP binding.
We want to revamp our web services to be Scallable, Secure and Easy to Use 我们希望将我们的Web服务改造为可调用,安全且易于使用的服务
Easy to use refer to the fact that at this moment web services do not incorporate any of the business logic on that layer. 易于使用是指以下事实:Web服务目前在该层上未包含任何业务逻辑。 Basically, our current web service could be seen as a import/export service for external/3rd party developers. 基本上,我们当前的Web服务可以看作是外部/第三方开发人员的导入/导出服务。
This effort brings me to the question: 这项工作使我想到了一个问题:
What do I have to expect of a revamp of our web services that are scallable, secure and easy to use?
Current issues with our Web Services 我们的Web服务的当前问题
- You have to login (1st transaction) to receive a token (keeps session in memory) in order to use them. 您必须先登录(第一笔交易)才能接收令牌(内存中的keeps会话)才能使用它们。
- Is not scalable because any developer could open 20K sessions and crash the web service server. 不可扩展,因为任何开发人员都可能会打开2万个会话,并使Web服务服务器崩溃。
- Is not secure because the same users from the admin of the site, could use the web services. 这是不安全的,因为来自站点管理员的相同用户可以使用Web服务。
- It is not easy to use, because the web service do not incorporate any of the business logic. 它不容易使用,因为Web服务未包含任何业务逻辑。
The reasons our clients like our web service interface is because, any data element they add in the web application it will be exposed in the web service (wsdl) definition immediately. 客户喜欢我们的Web服务界面的原因是,他们在Web应用程序中添加的任何数据元素都会立即在Web Service(wsdl)定义中公开。
One more bit of information: 更多信息:
I was hoping to confirm my theory that all the points mentioned above as issues could be solved if we implemented our web services in a RESTful way. 我希望证实我的理论,即如果我们以RESTful方式实现Web服务,则可以解决上述所有问题。 Since each transaction will not cause memory buildup and each transaction will incorporate a security settings with public key or similar. 由于每个事务都不会导致内存积聚,并且每个事务都将包含带有公共密钥或类似密钥的安全设置。
Either way, JRO, is right maybe if I slice the question in a series I will get better result. 无论哪种方式,JRO都是正确的,也许如果我将问题分成一系列,我会得到更好的结果。 I will keep this question here until the end of day, if I get nothing better I will take JRO advice. 我将把这个问题一直保留到一天结束,如果我没有得到任何改善,我将接受JRO的建议。
3 个解决方案
解决方案1
2 2010-02-15 20:36:22
You're asking three different questions that might be interrelated but are so large that the aggregate answer of "it depends" is the only one you'll get. 您在问三个可能相互关联但又太大的问题,以至于唯一的答案就是“取决于”。 If this is the scope of your project, then break it down further, ie more granularity. 如果这是您项目的范围,请进一步细分,即更详细。 Try solving this one issue at a time. 尝试一次解决一个问题。
Let's approach this from your identified web service issues (the concepts around your question are too big for this space): 让我们从已确定的Web服务问题中解决这个问题(问题的概念对于这个领域来说太大了):
You have to login (1st transaction) to receive a token : not certain why this is viewed as a "problem" without some context.
您必须登录(第一笔交易)才能收到令牌 :不确定为什么没有上下文将其视为“问题”。 Is generating/checking the token a problem? 生成/检查令牌是否有问题? Is the implementation for the user a problem? 用户实施是否有问题? You need to clarify why this is an issue. 您需要澄清为什么这是一个问题。 Is not scalable because any developer could open 20K sessions and crash the web service server.
不可扩展,因为任何开发人员都可能会打开2万个会话,并使Web服务服务器崩溃。 HTTP connection matters are best handled by web servers and load balancers, not programmatic management. HTTP连接问题最好由Web服务器和负载平衡器处理,而不是由程序管理。 If you need to limit a single endpoint's connection, start at the hardware layer. 如果需要限制单个端点的连接,请从硬件层开始。 Is not secure because the same users from the admin of the site, could use the web services.
这是不安全的,因为来自站点管理员的相同用户可以使用Web服务。 This implies the security implementation for the service, and how the logic around credentials are handled internally. 这意味着服务的安全性实现,以及如何在内部处理凭据周围的逻辑。 Not sure what to say other than fix this -- it's your logic, you're in control of what to do once you have credentials in-hand. 除了解决此问题外,不知道该说些什么-这是您的逻辑,您掌握了凭据后就可以控制要做什么。 If the problem is the security control model, that's a different topic. 如果问题出在安全控制模型上,那就另当别论了。 Identify what the real crux of the issue is, and don't confuse your implementation with tried-and-true models. 确定问题的真正症结所在,不要将您的实现与久经考验的模型混淆。 It is not easy to use, because the web service do not incorporate any of the business logic.
它不容易使用,因为Web服务未包含任何业务逻辑。 Without details of what this means, it means very little; 没有这意味着什么的细节,就意味着很少。 not enough context. 上下文不足。 However, this type of question leans toward web service method/function design. 但是,这种类型的问题倾向于Web服务方法/功能设计。 To that end, coarse granularity in your methods is preferred -- make them more inclusive, rather than less. 为此,首选方法中的粗粒度-使它们更具包容性,而不是更少。
My suggestion: bite off a single piece, such as the security implementation, and work with that first. 我的建议:先咬一口,例如安全性实现,然后首先使用它。 Attempting to take on the other pieces simultaneously will only make things more confusing more you. 尝试同时承担其他任务只会使事情变得更加困惑。
解决方案2
1 2010-02-15 20:09:22
What are the characteristics of a Scallable, Secure and Easy to Use Web Services?
Scalability, security, and ease of use. 可扩展性,安全性和易用性。 Beyond that, it's going to depend a lot on what you're trying to do. 除此之外,它在很大程度上取决于您要执行的操作。 You've provided very little information on what your web service does, what the issues are, and what you'd like it to do. 您几乎没有提供有关Web服务的功能,问题所在以及您希望执行的操作的信息。
解决方案3
0 2010-02-15 21:23:27
Regarding security, I can suggest you to download a free copy of Microsoft's Web Service Security Guide . 关于安全性,我建议您下载Microsoft的Web服务安全指南的免费副本。
This guide will help you quickly make the most appropriate security decisions in the context of your Web service's requirements while providing the rationale and education for each option.
It's very usefull in any development environment. 在任何开发环境中它都非常有用。
Have a good reading! 祝您阅读愉快!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.