thrift-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Chung <geo...@glympse.com>
Subject Re: username/password - security in Apache Thrift
Date Wed, 25 Sep 2013 19:09:00 GMT
And it's worth noting that authentication via client side certs is a
"standard, reliable, vetted mechanism" that is already layered into Thrift
via its support for SSL.

un/pw authentication is typically considered an application layer concern.
I've not heard of TLS-SRP until now...that's cool!


On Wed, Sep 25, 2013 at 11:11 AM, Ben Craig <bencraig@apache.org> wrote:

> > Does the thrift user have to build all the user authentication into
> > the protocol? It seems like there should be some standard, reliable,
> > vetted mechanism that could be layered into Thrift.
>
> Sending a username and password over an SSL connection is a very common
> pattern.  It is difficult for Thrift to do "everything" here, because
> Thrift doesn't have access to whatever the backing database is that stores
> the usernames and passwords.
>
> If you are looking for something that uses the username and password as
> the only forms of authentication (in lieu of certificates), then you
> should investigate TLS-SRP (http://en.wikipedia.org/wiki/TLS-SRP).  You
> would likely need to create a new transport class to wrap TLS-SRP.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message