Hi all, Does thrift support mutual authentication ? ( using client certificates to authorize the client)
Oh would it be better to use server public key to set up an SSL and then use OAuth to authorize the client? Any suggestions are highly appreciated. On Wed, Feb 5, 2014 at 4:26 PM, Sachith Withana <[email protected]> wrote: > Thanks a lot Roger. > > I will look into those. > > > On Wed, Feb 5, 2014 at 3:35 PM, Roger Meier <[email protected]>wrote: > >> Hi Sachith >> >> Sorry for the long delay... >> >> I recommend to use a string authToken or similar within each service as >> first parameter. >> This enables security at service level and is usually the thing you need >> from a long term perspective. >> >> On the other hand there is SSL at the transport layer. Good in combination >> with the service level authentication. >> Supported by many languages, but not yet integrated into the cross >> languages >> test suite. >> >> The other thing is SASL available on java implementation, patches might be >> available for other languages. >> >> All the best! >> -roger >> >> -----Original Message----- >> From: Sachith Withana [mailto:[email protected]] >> Sent: Samstag, 1. Februar 2014 19:55 >> To: [email protected] >> Subject: Securing public Thrift API >> >> Hi all, >> >> I'm working with Apache Airavata and we are in the process of using >> Apache >> Thrift for both internal and external uses. >> >> I'm looking into the security aspects of Thrift. >> >> Any suggestions on securing the communication? >> >> In the case of Evernote, I read that they are using a proxy as well? >> >> >> -- >> Thanks, >> Sachith Withana >> >> > > > -- > Thanks, > Sachith Withana > > -- Thanks, Sachith Withana
