Re: Securing public Thrift API

Wed, 19 Feb 2014 12:01:22 -0800 

Hi

Quoting Sachith Withana <swsach...@gmail.com>:


Hi all,

Does thrift support mutual authentication ? ( using client certificates to
authorize the client)

I would say no, but there might be a user already doing it;-)



Oh would it be better to use server public key to set up an SSL and then
use OAuth to authorize the client?

if you already use OAuth, you might pass its authkey to each service function
for service level authentication.



Any suggestions are highly appreciated.
I think client cert auth is a good choice and I'm sure we will have this in the future 
on the major languages.

just committed the common test certificates from THRIFT-2325:
https://git-wip-us.apache.org/repos/asf?p=thrift.git;a=commitdiff;h=161cf42b0948859a9d4f6f5abd7cf0b3d0b73236
improvements on the transport security layer is highly appreciated

no I'm working towards adoption across everything;-)

-roger
;-r




On Wed, Feb 5, 2014 at 4:26 PM, Sachith Withana <swsach...@gmail.com> wrote:


Thanks a lot Roger.

I will look into those.


On Wed, Feb 5, 2014 at 3:35 PM, Roger Meier <ro...@bufferoverflow.ch>wrote:


Hi Sachith

Sorry for the long delay...

I recommend to use a string authToken or similar within each service as
first parameter.
This enables security at service level and is usually the thing you need
from a long term perspective.

On the other hand there is SSL at the transport layer. Good in combination
with the service level authentication.
Supported by many languages, but not yet integrated into the cross
languages
test suite.

The other thing is SASL available on java implementation, patches might be
available for other languages.

All the best!
-roger

-----Original Message-----
From: Sachith Withana [mailto:swsach...@gmail.com]
Sent: Samstag, 1. Februar 2014 19:55
To: dev@thrift.apache.org
Subject: Securing public Thrift API

Hi all,

 I'm working with Apache Airavata and we are in the process of using
Apache
Thrift for both internal and external uses.

I'm looking into the security aspects of Thrift.

Any suggestions on securing the communication?

In the case of Evernote, I read that they are using a proxy as well?


--
Thanks,
Sachith Withana





--
Thanks,
Sachith Withana





--
Thanks,
Sachith Withana

Reply via email to