thrift-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jens Geyer" <jensge...@hotmail.com>
Subject Re: username/password - security in Apache Thrift
Date Wed, 25 Sep 2013 23:58:37 GMT
> [...] your server side is going to handle the un
> and cleartext pw and ask some service to validate
> the combination.

Whoa. How do you manage comparing against a clear text pwd when you have 
salted hashes in your DB? You /do/ have salted hashes, do you?

;-)


-----Urspr√ľngliche Nachricht----- 
From: George Chung
Sent: Wednesday, September 25, 2013 10:12 PM
To: user@thrift.apache.org
Subject: Re: username/password - security in Apache Thrift

>
> and I think there must be a way to layer in something that knows how to
> use the local password file or LDAP or whatever.


Certainly those mechanisms must have APIs to validate the un/pw that you
received over the wire. Those APIs would return true or false. And if they
return true, they might return a blob of additional data about the
authenticated user.



> The last thing I want to do is authenticate the password myself, because
> I'm sure whatever I came up with would not be "secure" by any reasonably
> thorough definition of security.


Regardless of whether you roll your own or delegate the responsibility to
some other service (via an api), your server side is going to handle the un
and cleartext pw and ask some service to validate the combination.


On Wed, Sep 25, 2013 at 1:01 PM, Craig Artley <cartley@hotmail.com> wrote:

> I guess I am not that clever; I need an example or how-to. I would like to
> add password authentication to a thrift service, and I think there must be
> a way to layer in something that knows how to use the local password file
> or LDAP or whatever. The last thing I want to do is authenticate the
> password myself, because I'm sure whatever I came up with would not be
> "secure" by any reasonably thorough definition of security.
>
> Thanks for the pointers on TLS-SRP.  I'll take a look and see if I can
> figure it out.
>
>   -craig
>
> > Date: Wed, 25 Sep 2013 12:09:00 -0700
> > Subject: Re: username/password - security in Apache Thrift
> > From: george@glympse.com
> > To: user@thrift.apache.org
> >
> > And it's worth noting that authentication via client side certs is a
> > "standard, reliable, vetted mechanism" that is already layered into
> Thrift
> > via its support for SSL.
> >
> > un/pw authentication is typically considered an application layer
> concern.
> > I've not heard of TLS-SRP until now...that's cool!
> >
> >
> > On Wed, Sep 25, 2013 at 11:11 AM, Ben Craig <bencraig@apache.org> wrote:
> >
> > > > Does the thrift user have to build all the user authentication into
> > > > the protocol? It seems like there should be some standard, reliable,
> > > > vetted mechanism that could be layered into Thrift.
> > >
> > > Sending a username and password over an SSL connection is a very 
> > > common
> > > pattern.  It is difficult for Thrift to do "everything" here, because
> > > Thrift doesn't have access to whatever the backing database is that
> stores
> > > the usernames and passwords.
> > >
> > > If you are looking for something that uses the username and password 
> > > as
> > > the only forms of authentication (in lieu of certificates), then you
> > > should investigate TLS-SRP (http://en.wikipedia.org/wiki/TLS-SRP).
>  You
> > > would likely need to create a new transport class to wrap TLS-SRP.
> > >
>
> 


Mime
View raw message