使用 Spring Security 对 2 个生产服务器的 Web 应用程序用户进行身份验证
[英]Web app user authentication with 2 production servers using spring security
问题描述
Working on the server side of a java based web application (will serve mobile and web clients) and I need to implement users authentication.
在基于 Java 的 Web 应用程序的服务器端工作(将服务于移动和 Web 客户端),我需要实现用户身份验证。 In production I have 2 servers (duplicated, working against the same DB) with a load balancer.在生产中,我有 2 台带有负载平衡器的服务器(重复,针对同一个数据库工作)。 I used Spring security before so this is the most intuitive way for me but here is my issue:我之前使用过 Spring security,所以这对我来说是最直观的方式,但这是我的问题:
Spring security authenticates the user once against the DB (when the user logs-in) and later requests are processed and authenticated using a session based token. Spring security 会针对 DB 对用户进行一次身份验证(当用户登录时),随后的请求将使用基于会话的令牌进行处理和身份验证。 Now, suppose that one of my production servers is down then I'm loosing my session, meaning the user will get some sort of "unauthorized" response.现在,假设我的一个生产服务器出现故障,然后我失去了我的会话,这意味着用户将得到某种“未经授权”的响应。 How can I deal with this?我该如何处理?
I thought of 3 options我想到了 3 个选项
- Use a key-value store such as redis and save my tokens there.使用诸如redis 之类的键值存储并将我的令牌保存在那里。 If I do that I guess I have to interfere with springs core code - once when user logges in (save the token to the key-value store) and once when authenticating a user (authenticate against this key-value store instead of spring's in-memory HttpSessionSecurityContextRepository).如果我这样做,我想我必须干扰 springs 核心代码 - 一次在用户登录时(将令牌保存到键值存储),一次在对用户进行身份验证时(针对此键值存储而不是 spring 的输入进行身份验证)内存 HttpSessionSecurityContextRepository)。
- Use Spring security in a way that it authenticates users against the DB in every request (I'm not sure it is even possible).以在每个请求中针对数据库对用户进行身份验证的方式使用 Spring 安全性(我不确定这是否可能)。
- Not using spring security and simply create a filter or some interceptor in order to authenticate each and every request against the DB.不使用 spring 安全性,只需创建一个过滤器或一些拦截器,以便对数据库的每个请求进行身份验证。 This means 2 things: the firsts is that my client will have to apply username and password to each and every request (probably in the header), And second is that I will have to query the DB for each and every request.这意味着两件事:第一是我的客户必须将用户名和密码应用于每个请求(可能在标题中),第二是我必须为每个请求查询数据库。
So these are my thoughts, I would like to get your insights about those and new suggestions if you have.所以这些是我的想法,如果你有的话,我想得到你对这些的见解和新的建议。
1 个解决方案
解决方案1
0 已采纳 2012-09-20 05:40:51
How about the state the user maintains across the session?用户在整个会话中保持的状态如何? If you have such a situation, than you'll lose the data if the server fails.如果您遇到这种情况,那么如果服务器出现故障,您将丢失数据。
I think the best would be starting with sticky session mechanism here and leaving the authentication as is.我认为最好的方法是从这里的粘性会话机制开始,并保持身份验证不变。
Sticky session can be configured on the load balancer and usually means the following:粘性会话可以在负载均衡器上配置,通常意味着以下内容:
- Once the use from IP A opens your aplication on server S1 all the subsequent requests will be redirected to this server, but the next user will be automatically connected to server S2 (load balancer will make such a decision).一旦来自 IP A 的使用在服务器 S1 上打开您的应用程序,所有后续请求都将重定向到该服务器,但下一个用户将自动连接到服务器 S2(负载均衡器将做出这样的决定)。 So all-in-all, if you have, say, 10 users working at the same time, 5 of them will be connected to server S1 and the rest to the server B.总而言之,如果您有 10 个用户同时工作,其中 5 个将连接到服务器 S1,其余连接到服务器 B。
I don't think that authenticating each request is a good idea (think about web 2, ajax requests) - this will make your server and db highly loaded and as a result it won't be able to process a lot of users/requests simultaneously.我不认为对每个请求进行身份验证是一个好主意(想想 web 2,ajax 请求) - 这将使您的服务器和数据库负载很高,因此它将无法处理大量用户/请求同时。
Hope this helps希望这可以帮助
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.