On Sat, Apr 17, 2010 at 9:12 PM, Brian Cline <[email protected]> wrote:
> In general, authentication is an application-level control and it would be > impossible for Thrift to provide a framework-level silver bullet for all > possible kinds of authentication schemes. I wouldn't use the word "impossible", nor would I expect something that can support every conceivable scenario. But it would be useful to be able to associate some properties with each request without the need for cluttering the service definitions. It is also assumed that Thrift runs in a totally trusted environment where > messages can be freely exchanged between a controlled set of machines. For > user authenticated requests, it makes more sense to pass some kind of token > along with an authenticated API request (as Dave mentions was done in > Evernote's API), rather than adding another state layer within Thrift to > hold application-level data like authentication tokens. > > That being said, the beauty of open source frameworks is that you can both > examine and modify what's under the hood to fit your needs. > yes, but it also helps if people agree on what changes are worth doing rather than maintaining their own fork. -Bjørn
