thrift-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Hammond <br...@brianhammond.com>
Subject Re: Regarding Thrift and Ajax
Date Mon, 27 Apr 2009 20:40:52 GMT
When you say "not so long ago" it sounds like the exception-with- 
random-bytes issue has since been fixed?  I'll have to try this out!

The other things you mention can be handled from within the thrift- 
based service handler but yes, thrift is not an out-of-the-box  
solution for everything.

FWIW, I'm using iptables for incoming connection limiting [1],  
fail2ban [2] for temporarily banning clients that are misbehaving, and  
homebrew stuff for authentication, replay attacks, etc.


[1] http://www.debian-administration.org/articles/187
[2] http://www.fail2ban.org/wiki/index.php/Main_Page

On Apr 27, 2009, at 3:24 PM, Ted Dunning wrote:

> Swaroop,
>
> Thrift is generally best for internal consumption.  If you expose an  
> API to
> the wild world, you need more than just a JSON translator.  You also  
> need
> anti-spoofing measures, transaction rate limits, authentication and  
> input
> verification.  Raw thrift is really pretty raw and not so long ago,  
> it was
> pretty easy to get an Exception by just sending random bytes to a  
> Thrift
> server.
>
> That said, if *all* you care about is the JSON/Thrift translation,
> jabsorb+thrift looks pretty sweet.
>
> On Mon, Apr 27, 2009 at 10:57 AM, Dave Engberg  
> <dengberg@evernote.com>wrote:
>
>>
>> ... a JavaScript ORB bridge.
>>
>>
>>
>> Swaroop C H wrote:
>>
>>> ... how do people deal with the issue
>>> of interaction between Ajax and Thrift-based APIs?
>>> ...
>>> If the Ajax cannot access the API directly, then a wrapper (that  
>>> works
>>> with Ajax) would have to be written for every single service call.
>>>
>>>


Mime
View raw message