问题
I have Web API method as listed below, for a REST service. This is for getting all users information for InventoryAuditors. Only authorized InventoryAuditor users can access this resource.
[RoutePrefix("api/users")]
public class UsersController : ApiController
{
[Authorize(Roles="InventoryAuditor")]
[Route("")]
[HttpGet]
public List<User> GetAllUsers()
{
//Return list of users
}
}
public class User
{
public int UserID { get; set; }
public string FirstName { get; set; }
}
Questions
- Is this resource cacheable for
shared caches(likeForward Proxiesand other intermediary caches)? - If yes, how does the shared cache perform authorization check – how does the cache know that the resource must be served only for InventoryAuditors?
- How the headers should look like to make this authorized representation cacheable?
Or is HTTP Caching not all to be used in case of authorized resources?
Note: The article "Caching Tutorial for Web Authors and Webmasters" says:
By default, pages protected with HTTP authentication are considered private; they will not be kept by shared caches. However, you can make authenticated pages public with a Cache-Control: public header; HTTP 1.1-compliant caches will then allow them to be cached.
REFERENCES
- https://tools.ietf.org/html/rfc7235#section-4.2
- https://tools.ietf.org/html/rfc7234#section-3.2
- https://tools.ietf.org/html/rfc7234#section-5.2.2
- Hypertext Transfer Protocol (HTTP/1.1): Caching
- Feature: Bearer Authentication- Squid
- Stupid Web Caching Tricks
回答1:
What I understand from reading various resources is - following headers may help in caching authorized resources.
Cache-Control: public, max-age=0
- Max-Age = 0: Requires cache to revalidate with the server using a conditional GET request. While revalidating with the server, the Authorization headers will be sent to the server.
- The max-age=0 differs from must-revalidate. The max-age=0 allows caching of responses that contain Authorization headers also.
Also refer
Rest in Practice - REST+caching+authorize
Web Caching - Authentication
回答2:
From the link you provided
In particular, a response with either "max-age=0, must-revalidate" or "s-maxage=0" cannot be used to satisfy a subsequent request without revalidating it on the origin server.
A forward web proxy should be able to examine the Cache-Control header of the response to determine whether it cab be used to server subsequent requests
A simple test revealed that responses to authorized requests in asp.net have the following header set:
Cache-Control: private, s-maxage=0
This is as per the protocol, how response caching is actually handled depends upon the web server you are using.
UPDATE
1) Is this resource cacheable for shared caches (like Forward Proxies and other intermediary caches)?
NO
"Cache-control: private Indicates that all or part of the response message is intended for a single user and MUST NOT be cached by a shared cache. This allows an origin server to state that the specified parts of the response are intended for only one user and are not a valid response for requests by other users. A private (non-shared) cache MAY cache the response.*"
https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.1
2) If yes, how does the shared cache perform authorization check – how does the cache know that the resource must be served only for InventoryAuditors?
NA
3) What are the different approaches for achieving caching such authorized content in shared caches?
You can programmatically set headers to anything you want to manipulate the caching behavior of shared proxies
proxy-revalidate The proxy-revalidate directive has the same meaning as the must- revalidate directive, except that it does not apply to non-shared user agent caches. It can be used on a response to an authenticated request to permit the user's cache to store and later return the response without needing to revalidate it (since it has already been authenticated once by that user), while still requiring proxies that service many users to revalidate each time (in order to make sure that each user has been authenticated). Note that such authenticated responses also need the public cache control directive in order to allow them to be cached at all.* https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.4
来源:https://stackoverflow.com/questions/39060208/authorization-check-for-http-caches