4

Does Thrift have a mechanism for passing tokens (e.g. auth token strings) when making a remote call? The only option I can see is to include the auth token string in the method signature?

Myles McDonnell
  • 12,943
  • 17
  • 66
  • 116

2 Answers2

2

No, unlike e.g. WS-Security with SOAP, that's considered as being out of scope for Thrift. This part is left to be implemented by the higher level layers of your application, or other mechanisms, depending on what transport you are using.

JensG
  • 13,148
  • 4
  • 45
  • 55
  • There's a way to do it on the server side, for example using http and cookies. See example in the link below. Regarding the client side, I'm clueless because thrift is the one to initiate the call - without a wrapper. https://github.com/apache/thrift/tree/master/tutorial/js – AlikElzin-kilaka Jan 12 '16 at 12:53
2

Its possible to do this over HTTP - the HTTP server and client can talk userid and token in the http(s) headers.

On the client side, subclass the thrift http client. Register key-value pairs with it, to be supplied in subsequent requests.

On the server side, write a filter that receives then stores the http request header variable before passing it onto the handling thrift code. Now, what to do with the token on the server is your business. You might -- allow/disallow access to whole interface based on the token (useful for internal, developer services), or communicate the userid-token to service objects via a thread-local object (ugly but workable).

user48956
  • 14,850
  • 19
  • 93
  • 154
  • Do you have an *example* of how to do it? The main problem is on the client side. On the server side, you have a mechanism that passes the http body to the thrift's processor. How can this done on the client side? What do you mean by "subclass the thrift http client"? – AlikElzin-kilaka Jan 12 '16 at 12:36
  • Look at the following example: The server side is fully configurable but I don't see how to configure the client side: https://github.com/apache/thrift/tree/master/tutorial/js – AlikElzin-kilaka Jan 12 '16 at 12:48
  • See: http://people.apache.org/~thejas/thrift-0.9/javadoc/org/apache/thrift/transport/THttpClient.html ... has setCustomHeaders. I'm not sure if this is in regular thrift 0.9 or if THttpClient was hacked for this purpose. However, I'm fairly certain it should be possible to *only* use the generated code to serialize/deserialize the thrift request data and add you own HTTP transport layer type things (i.e. seek out the implementation of THttpClient and you can do anything). If this link doesn't help, you might try the thrift user group. – user48956 Jan 12 '16 at 21:35
  • 1
    @AlikElzin-kilaka i know this is pretty late when you had this issue, but could you find a solution on this, or you went and send any infos through method param. PS: I'm asking you because i found you on many thrift interceptor questions on the comments. – rpajaziti Oct 03 '22 at 09:29