Project Prerequisites:
The Client Access server interface needs to carry the access_token generated according to username and password,
That is, to access all (except for the Access_token interface) to carry the Access_token,
The server side through the interceptor to determine whether the user Access_token failure, etc.
Application Scenarios:
1. The browser access server obtains the Access_token interface and obtains access_token through username and password.
2. The server generates Access_token based on username and password, and puts the Access_token in session and returns as follows:
HttpSession HttpSession = Request.getsession (true);
Httpsession.setattribute ("Access_token", Accesstoken);
3. The browser accesses all interfaces (except for the Access_token interface) with Access_token, and the server side makes the following comparisons:
HttpSession HttpSession = Request.getsession (true);
String Reqeustaccesstoken = Request.getparameter ("Access_token");
String sessionaccesstoken = (string) httpsession.getattribute ("Access_token");
if (Reqeustaccesstoken! = null && reqeustaccesstoken.equals (Sessionaccesstoken)) {
If equal, the description Access_token is valid.
}
Test results:
1. Open the browser, via Chrome's Rest simulation plug-in, call the server to get Access_token interface,
Get Access_token through username and password.
2. Carry Access_token access to other service interfaces, no problem, can obtain data normally.
3. Close the browser to re-carry the interface just obtained Access_token access to get data, prompting Access_token invalidation.
By testing as above, the instructions are no problem.
Problem found:
Through the form of Web Access is no problem, as above, in fact, can be understood as, open the browser, in fact, is to open a session,
Closes the session by closing the browser.
The problem is that the client, iOS, and Android each access interface is the equivalent of opening a session, so simply through the mechanism above
The problem is that when you carry the access_token that you just acquired to access other service interfaces, the print Sessionaccesstoken is empty.
Solution:
The solution is: introduce a cookie mechanism? That is, the client must support cookies, and each time the cookie returned by the Access service interface is stored.
The next time you access the interface, bring the last cookie, and the problem is resolved.
Problem: The session is only parsed by the server, as follows:
HttpSession HttpSession = Request.getsession (true);
String Reqeustaccesstoken = Request.getparameter ("Access_token");
String sessionaccesstoken = (string) httpsession.getattribute ("Access_token");
if (Reqeustaccesstoken! = null && reqeustaccesstoken.equals (Sessionaccesstoken)) {
If equal, the description Access_token is valid.
}
There is no parsing of cookies, and the server does the work automatically?
Working principle:
1. The Client Access server obtains the Access_token interface and acquires Access_token through username and password.
2. The server generates Access_token based on username and password, and puts the Access_token in session and returns as follows:
HttpSession HttpSession = Request.getsession (true);
Httpsession.setattribute ("Access_token", Accesstoken);
Note: The session management mechanism can be understood as a collection, which is stored in memory.
3. After the client obtains the Access_token, adds the cookie that the server returns to the local, note: The cookie holds the session information.
4. The client again carries the Access_token Access server interface with the cookie information.
5. Server-Side Execution httpSession httpSession = Request.getsession (True), the server will automatically read the cookie information,
Gets the session information in the cookie, then, based on the session information, obtains the corresponding session from the session collection, and then obtains from the session
Sessionaccesstoken, finally do compare, judge whether Access_token is effective.
Session management between the client (iOS and Android) and the server (sessions and cookies)