Hi Samir-- Thanks for delurking and the OAuth pointers. The server is in Java, and Spring is definitely overkill.
Marlon On 6/4/14 12:48 AM, Samir Faci wrote: > I'm presuming the server code base is in java. (I've been lurking on > here but haven't chatted much). But if you are going the OAuth route > there are tons of > existing libraries in a variety of languages that you can pull in. > > http://oauth.net/code/ > > > For java specifically, > > https://code.google.com/p/oauth/ > > or > https://code.google.com/p/oauth-signpost/ > > would work well. Spring also has a library, though Spring is usually > overkill unless you have other features from spring that you > want/need. > > > > On Tue, Jun 3, 2014 at 10:59 AM, Randy Heiland <[email protected]> wrote: >> Fwiw, here’s the draft document I mentioned below: >> http://pages.iu.edu/~heiland/ctsc/BestPracticesforThriftClients_EvernoteUseCase.pdf >> >> I’d welcome any comments people might have. >> >> -Randy >> >> On Jun 3, 2014, at 9:05 AM, Marlon Pierce <[email protected]> wrote: >> >>> Hi Randy-- >>> >>> Yes, I mean "Evernote" in the next to the last paragraph--Evernote does >>> not have the same mulitenanted use case. >>> >>> I'm looking forward to your document, but I'm also at a conference this >>> week and want to have a few thoughts in mind for my presentation in case >>> anyone is interested. >>> >>> Marlon >>> >>> On 6/3/14 11:00 AM, Randy Heiland wrote: >>>> Marlon, >>>> >>>> In your last paragraph, you mean “Evernote...” and not “Thrift also has…” >>>> - correct? >>>> >>>> I believe you’re correct in your Thrift over HTTP for Evernote assumption, >>>> based on this: >>>> http://mail-archives.apache.org/mod_mbox/incubator-thrift-dev/201005.mbox/%[email protected]%3E >>>> >>>> I actually have a doc to share with your team shortly regarding >>>> Evernote/Thrift that we did as part of our (CTSC) engagement with you. And >>>> I have some follow-on questions that I’ll contact you about offline. >>>> >>>> -Randy >>>> >>>> On Jun 3, 2014, at 2:33 AM, Marlon Pierce <[email protected]> wrote: >>>> >>>>> This email is intended to introduce some security discussion. >>>>> >>>>> One of the advantages of Thrift is the ability it will give us to >>>>> integrate native-language SDKs with desktop clients. This requires >>>>> though that we will need to think through our security model. In the >>>>> usual browser-based use case, the user does not make direct calls to the >>>>> API. These come instead from the gateway server, and we can establish a >>>>> trust relationship (such as SSL mutual authentication). >>>>> >>>>> For the desktop client case, users make direct calls to the Airavata API >>>>> server, so we have three actors: the desktop application, the API >>>>> Server, and an auth service. The Auth service performs initial >>>>> authentication of the user; it is a service that is gateway-dependent. >>>>> Without going into too many details, OAuth is the usual protocol for >>>>> doing this. Evernote, in their Thrift API, provides this as an option. >>>>> >>>>> Evernote (from what I can tell) uses Thrift over HTTP, or at least uses >>>>> an HTTP proxy. If we stay with TCP/IP Thrift services in Airavata, >>>>> does this mean we need to implement OAuth ourselves? >>>>> >>>>> Thrift also has a different use case in that they are not a >>>>> multi-tenanted service: they own all the accounts that they >>>>> authenticate. In contrast, a single Airavata server may support several >>>>> unrelated gateways. Each gateway would manage its own user accounts. >>>>> >>>>> What are the best options for Airavata? >>>>> >>>>> >>>>> Marlon >>>>> > >
