如何在服务器上保存用户凭据以在后台运行查询
背景:
我们有一个 ASP.NET / Silveright Web 应用程序。 silverlight客户端显示用户 图形形式的特定数据 - 它从服务器请求数据:
问题: 由于服务器必须执行底层数据库查询,获取这些数据的成本很高 - 因此客户端必须等待......
优化思路: 我们在服务器上定期运行数据库查询,将结果写入 “靠近”ASP.NET 服务器运行位置的数据库中的“userdata”表。
运行查询并将数据写入表的过程是 由与 ASP.NET 服务器分离的“数据收集”服务执行。
当客户端请求数据时,服务器从“userdata”表中检索数据。 这应该很好而且很快——我们可能在与 ASP.NET 服务器相同的机器上有“userdata”表。我们还有一个额外的好处,即使底层数据库处于离线状态,客户端也可以看到数据。
当然,数据不是实时的 - 但所有数据一旦到达客户端就可能是旧的。
现在我的问题是: “数据收集”服务需要用户凭据才能执行这些数据库操作 查询(因为每个用户对同一查询得到不同的结果)。
问题:
如何以可接受的“安全”方式将用户凭据存储在数据库中? 这样“数据收集”就可以模拟用户来执行数据库查询。 我们最初的场景是基于使用 Windows 集成登录数据库。
Background:
We have an ASP.NET / Silveright web application. The silverlight client displays user
specific data in a graphical form - it requests the data from the server:
Problem:
Getting this data is expensive, due to the underlying database queries that the server has to perform - so the client has to wait...
Optimisation Idea:
We run the database queries at regular intervals on the server, writing the results to a
'userdata' table in a database 'close' to where the ASP.NET server runs.
The process of running the queries and writing the data to the tables is
performed by a 'data collection' service, which is separated from the ASP.NET server.
When the client requests data the server retrieves it from a 'userdata' table.
This should be nice and quick - we probably have the 'userdata' tables on the same machine as the ASP.NET server. We also have the added benefit that the client sees data even if the underlying database is offline.
Of course the data is not live - but all data is potentially old as soon as it reaches the client.
So now my Problem:
The 'data collection' service needs the user credentials in order to perform these database
queries (because each user gets different results for the same query).
Question:
How can I store user credentials in a database, in an acceptable 'secure' way?
Such that the 'data collection' can impersonate a user to perform the database queries.
Our initial scenario is based upon using windows integrated login to the database.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
据我了解,您将需要为每个用户运行一个查询,但您不希望使其成为阻塞调用。您需要非规范化读取模型(UserData)的响应能力。
我有一个想法,您无需将凭据存储在某处,只需启动一个线程并向该线程提供从请求中获取的当前凭据即可。
我从 ASP.NET MVC 控制器中调用它,如下所示:
这将为每个请求更新 UserData。如果需要,您可以引入一些更新频率的逻辑,并且仅在某些条件下进行调用。
我正在考虑的另一种方法是迈向 CQRS 思维模式,在这种情况下,我将发布一条包含序列化 IPrincipal 的消息,并且该消息将由另一个实例/服务器使用,该实例/服务器将更新读取模型作为一个单独的过程。但我不确定如果在另一台服务器上反序列化,
IPrincipal是否真的可以工作。无论如何,我没有看到保留凭据的好处。只需在新线程的范围内或在所使用的消息的上下文中使用它们即可。
As I understand this you will need to run a query per user but you do not want to make this a blocking call. You want the responsiveness of a denormalized read model, the UserData.
I have an idea where you instead of storing the credentials somewhere, you simply start a thread and provide that thread with the current credentials taken from the request.
I call this from an ASP.NET MVC Controller like this:
This would update the UserData for each request. If you want, you could introduce some logic for the update frequency and only make the call on certain conditions.
Another approach I was thinking about was a step towards the CQRS mindset, where I in this case would publish a message containing the serialized
IPrincipaland that message would be consumed by another instance/server that would update the read model as a separate process. But I am uncertain that theIPrincipalwould actually work if deserialized on another server.Anyway, I don't see the benefit of persisting the credentials. Just use them in the scope of a new thread or in the context of a message consumed.