thrift-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Craig <bencr...@apache.org>
Subject RE: username/password - security in Apache Thrift
Date Wed, 25 Sep 2013 18:11:32 GMT
> Does the thrift user have to build all the user authentication into 
> the protocol? It seems like there should be some standard, reliable,
> vetted mechanism that could be layered into Thrift.

Sending a username and password over an SSL connection is a very common 
pattern.  It is difficult for Thrift to do "everything" here, because 
Thrift doesn't have access to whatever the backing database is that stores 
the usernames and passwords.

If you are looking for something that uses the username and password as 
the only forms of authentication (in lieu of certificates), then you 
should investigate TLS-SRP (http://en.wikipedia.org/wiki/TLS-SRP).  You 
would likely need to create a new transport class to wrap TLS-SRP.

Mime
View raw message