thrift-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Chung <>
Subject Re: username/password - security in Apache Thrift
Date Wed, 25 Sep 2013 19:09:00 GMT
And it's worth noting that authentication via client side certs is a
"standard, reliable, vetted mechanism" that is already layered into Thrift
via its support for SSL.

un/pw authentication is typically considered an application layer concern.
I've not heard of TLS-SRP until now...that's cool!

On Wed, Sep 25, 2013 at 11:11 AM, Ben Craig <> wrote:

> > Does the thrift user have to build all the user authentication into
> > the protocol? It seems like there should be some standard, reliable,
> > vetted mechanism that could be layered into Thrift.
> Sending a username and password over an SSL connection is a very common
> pattern.  It is difficult for Thrift to do "everything" here, because
> Thrift doesn't have access to whatever the backing database is that stores
> the usernames and passwords.
> If you are looking for something that uses the username and password as
> the only forms of authentication (in lieu of certificates), then you
> should investigate TLS-SRP (  You
> would likely need to create a new transport class to wrap TLS-SRP.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message