[英]Web app user authentication with 2 production servers using spring security
Working on the server side of a java based web application (will serve mobile and web clients) and I need to implement users authentication.在基于 Java 的 Web 应用程序的服务器端工作(将服务于移动和 Web 客户端),我需要实现用户身份验证。 In production I have 2 servers (duplicated, working against the same DB) with a load balancer.
在生产中,我有 2 台带有负载平衡器的服务器(重复,针对同一个数据库工作)。 I used Spring security before so this is the most intuitive way for me but here is my issue:
我之前使用过 Spring security,所以这对我来说是最直观的方式,但这是我的问题:
Spring security authenticates the user once against the DB (when the user logs-in) and later requests are processed and authenticated using a session based token. Spring security 会针对 DB 对用户进行一次身份验证(当用户登录时),随后的请求将使用基于会话的令牌进行处理和身份验证。 Now, suppose that one of my production servers is down then I'm loosing my session, meaning the user will get some sort of "unauthorized" response.
现在,假设我的一个生产服务器出现故障,然后我失去了我的会话,这意味着用户将得到某种“未经授权”的响应。 How can I deal with this?
我该如何处理?
I thought of 3 options我想到了 3 个选项
So these are my thoughts, I would like to get your insights about those and new suggestions if you have.所以这些是我的想法,如果你有的话,我想得到你对这些的见解和新的建议。
How about the state the user maintains across the session?用户在整个会话中保持的状态如何? If you have such a situation, than you'll lose the data if the server fails.
如果您遇到这种情况,那么如果服务器出现故障,您将丢失数据。
I think the best would be starting with sticky session mechanism here and leaving the authentication as is.我认为最好的方法是从这里的粘性会话机制开始,并保持身份验证不变。
Sticky session can be configured on the load balancer and usually means the following:粘性会话可以在负载均衡器上配置,通常意味着以下内容:
I don't think that authenticating each request is a good idea (think about web 2, ajax requests) - this will make your server and db highly loaded and as a result it won't be able to process a lot of users/requests simultaneously.我不认为对每个请求进行身份验证是一个好主意(想想 web 2,ajax 请求) - 这将使您的服务器和数据库负载很高,因此它将无法处理大量用户/请求同时。
Hope this helps希望这可以帮助
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.