ADR-001: Apache Thrift for Internal Services
Decision Analysis and Resolution: SW360 Internal RPC Framework
Created by: SW360 Architecture Team
Original Decision: 2014
Reformatted: April 2026
Status: Accepted
Estimated read time: 10 minutes
Table of Contents
- Background
- Goal
- Key Principles
- Key Inputs, Assumptions and Restrictions
- Options Analysis
- Criteria for Making a Decision
- Final Decision
- Contributors
- Discussion & Brainstorming
Background
SW360 was designed as a multi-tier application for open source license compliance management with:
- A web portal (Liferay) as the frontend
- Backend services handling business logic
- A document database (CouchDB) for persistence
FOSSology Integration Challenge: A critical requirement was integration with FOSSology, a license scanning tool. At the time (2014), neither FOSSology nor SW360 had REST APIs. The need arose for a communication protocol that could bridge the Java-based SW360 and the predominantly C/PHP-based FOSSology.
Internal Communication Needs: The system also needed an efficient, reliable communication protocol between the web layer and backend services for internal operations.
Why This Decision Matters Now: This decision affects:
- All internal service-to-service communication
- External tool integrations
- Developer experience and onboarding
- System performance and maintainability
Goal
The goal of this decision analysis is to:
- Select an internal RPC framework for SW360 that supports efficient service communication
- Enable integration with external tools like FOSSology
- Provide strong interface contracts to prevent service drift
- Support potential polyglot implementations in the future
- Document the rationale for future team members
Key Principles
| # | Principle | Description |
|---|---|---|
| 1 | Efficiency First | Internal communication should minimize overhead |
| 2 | Strong Contracts | Interface definitions should be explicit and versioned |
| 3 | Cross-language Support | Must support Java, C++, Python, PHP for FOSSology integration |
| 4 | Developer Productivity | Code generation preferred over manual serialization |
| 5 | Maturity | Framework must be production-ready and well-supported |
Key Inputs, Assumptions and Restrictions
| Type | Description |
|---|---|
| Input | FOSSology is written in C/PHP and has no REST API (2014) |
| Input | SW360 backend is Java-based with Spring framework |
| Input | Complex nested data structures (components, releases, licenses) must be exchanged |
| Assumption | Internal communication will remain on same network/machine |
| Assumption | External clients will need a separate REST API layer |
| Restriction | Must integrate with Liferay portal framework |
| Restriction | Budget does not allow commercial RPC solutions |
Options Analysis
Option 1 - REST/JSON
Summary
Use RESTful HTTP APIs with JSON serialization for all internal and external communication. This is the most common approach for web services and offers broad tooling support.
Conceptual View
graph LR
A[Liferay Portal] <-->|HTTP/JSON<br/>REST APIs| B[Backend Services]
B -->|HTTP/JSON| C[FOSSology]Impact / Changes Required
- Implement REST controllers for all backend services
- Define JSON schemas for all data transfer objects
- Manual serialization/deserialization code
- FOSSology would need REST API development (not available in 2014)
SWOT Analysis
| Category | Analysis |
|---|---|
| Strengths | 1. Universal understanding - every developer knows REST 2. Human-readable JSON for debugging 3. Broad tooling support (Postman, curl, etc.) 4. Stateless by design 5. Works through firewalls easily |
| Weaknesses | 1. Verbose JSON increases payload size 2. No native schema/contract enforcement 3. Manual serialization code required 4. HTTP overhead for internal calls 5. Complex nested structures require careful design |
| Opportunities | 1. Could serve as both internal and external API 2. Easy to add caching layers 3. OpenAPI/Swagger for documentation |
| Threats | 1. Schema drift between services without strict governance 2. Performance issues with large payloads 3. FOSSology has no REST API (2014) - integration blocked |
Option 2 - SOAP/XML
Summary
Use SOAP (Simple Object Access Protocol) with XML serialization. This was the enterprise standard for web services, offering strong typing through WSDL contracts.
Conceptual View
graph LR
A[Liferay Portal] <-->|SOAP/XML<br/>WSDL| B[Backend Services]Impact / Changes Required
- Define WSDL contracts for all services
- Generate Java stubs from WSDL
- Heavy XML processing infrastructure
- FOSSology integration would require SOAP support
SWOT Analysis
| Category | Analysis |
|---|---|
| Strengths | 1. Strong typing through WSDL 2. Enterprise standard with proven track record 3. Built-in error handling (SOAP faults) 4. WS-Security for authentication |
| Weaknesses | 1. Extremely verbose XML payloads 2. High processing overhead 3. Complex tooling and configuration 4. Poor support in non-Java languages 5. Heavy memory footprint |
| Opportunities | 1. Enterprise integration patterns available |
| Threats | 1. Industry moving away from SOAP (2014) 2. Limited C/PHP support for FOSSology 3. Developer resistance - seen as “legacy” 4. Maintenance overhead for WSDL files |
Option 3 - Apache Thrift
Summary
Use Apache Thrift, a binary RPC framework with Interface Definition Language (IDL). Thrift generates client/server code for multiple languages from a single interface definition.
Conceptual View
graph TB
A[Liferay Portal] <-->|Thrift Binary<br/>TBinaryProtocol| B[Backend Services]
A --> C[".thrift files<br/>(contracts)"]
B --> C
C -->|Code Generation| D["Java, C++, Python, PHP, ..."]
D --> E["FOSSology (C/PHP)"]Impact / Changes Required
- Define Thrift IDL files for all data structures and services
- Add Thrift compiler to build process
- Generate Java handlers for backend services
- FOSSology can use generated C/PHP code directly
SWOT Analysis
| Category | Analysis |
|---|---|
| Strengths | 1. Efficient binary protocol - compact payloads 2. Strong IDL contracts - compile-time checking 3. Excellent cross-language support (Java, C++, Python, PHP) 4. Code generation eliminates serialization boilerplate 5. Native support for complex types (maps, sets, nested structs) 6. Optional fields for backward compatibility 7. Battle-tested at Facebook scale |
| Weaknesses | 1. Learning curve for Thrift concepts 2. Requires Thrift compiler in build process 3. Binary protocol harder to debug than JSON 4. Limited IDE support for .thrift files 5. Cannot expose directly to external clients (need REST wrapper) |
| Opportunities | 1. Enables FOSSology integration immediately 2. IDL files serve as living documentation 3. Can add new languages in future without rewriting 4. Performance optimization path available |
| Threats | 1. Smaller community than REST 2. gRPC emerging as competitor 3. Team must maintain Thrift expertise 4. Version management across services |
Option 4 - gRPC/Protocol Buffers
Summary
Use Google’s gRPC framework with Protocol Buffers for serialization. Similar to Thrift but newer, with HTTP/2 transport and strong Google backing.
Conceptual View
graph LR
A[Liferay Portal] <-->|gRPC/HTTP2<br/>Protobuf| B[Backend Services]Impact / Changes Required
- Define .proto files for all services
- Add protoc compiler to build process
- Generate Java/C++ stubs
- Requires HTTP/2 support throughout
SWOT Analysis
| Category | Analysis |
|---|---|
| Strengths | 1. Modern HTTP/2 transport with streaming 2. Efficient Protocol Buffer serialization 3. Strong Google backing and community 4. Good tooling and documentation |
| Weaknesses | 1. Immature in 2014 - gRPC 1.0 released in 2016 2. Limited language support in 2014 3. HTTP/2 not widely supported in 2014 4. No PHP support initially (critical for FOSSology) |
| Opportunities | 1. Growing ecosystem 2. Cloud-native alignment |
| Threats | 1. Production-ready version not available (2014) 2. PHP support timeline uncertain 3. Breaking changes expected before 1.0 4. FOSSology integration blocked |
Criteria for Making a Decision
T-Shirt Sizing Scale
| T-Shirt Size | Numeric Value | Meaning |
|---|---|---|
| XS | 1.0 | Worst for this aspect |
| S | 2.5 | Poor |
| S-M | 3.75 | Below Average |
| M | 5.0 | Average |
| M-L | 6.25 | Above Average |
| L | 7.5 | Good |
| L-XL | 8.75 | Very Good |
| XL | 10.0 | Best for this aspect |
Weighted Evaluation Matrix
| Criteria | Description | Weight | REST/JSON | SOAP/XML | Thrift | gRPC | ||||
|---|---|---|---|---|---|---|---|---|---|---|
| Rating | Score | Rating | Score | Rating | Score | Rating | Score | |||
| FOSSology Integration | Must support C/PHP languages for FOSSology | 10 | XS | 10.0 | XS | 10.0 | XL | 100.0 | XS | 10.0 |
| Performance | Binary efficiency, low overhead for internal calls | 8 | M | 40.0 | S | 20.0 | L-XL | 70.0 | L-XL | 70.0 |
| Type Safety | Compile-time contract enforcement | 8 | S | 20.0 | L | 60.0 | L-XL | 70.0 | L-XL | 70.0 |
| Complex Data Structures | Support for nested objects, maps, collections | 7 | M | 35.0 | M-L | 43.75 | XL | 70.0 | L-XL | 61.25 |
| Developer Experience | Learning curve, debugging, tooling | 7 | L-XL | 61.25 | S-M | 26.25 | M-L | 43.75 | M | 35.0 |
| Code Generation | Automatic stub generation reduces boilerplate | 6 | S | 15.0 | M-L | 37.5 | XL | 60.0 | XL | 60.0 |
| Production Readiness | Mature, battle-tested, stable (as of 2014) | 9 | XL | 90.0 | L | 67.5 | L-XL | 78.75 | XS | 9.0 |
| Community & Support | Documentation, community help, longevity | 6 | XL | 60.0 | M | 30.0 | L | 45.0 | S | 15.0 |
| Cross-Language Support | Java, C++, Python, PHP coverage | 8 | L | 60.0 | S-M | 30.0 | XL | 80.0 | S-M | 30.0 |
| Backward Compatibility | Adding fields without breaking clients | 6 | M | 30.0 | M | 30.0 | L-XL | 52.5 | L-XL | 52.5 |
| TOTAL | 421.25 | 355.0 | 670.0 | 412.75 |
Score Summary
| Rank | Option | Total Score | Recommendation |
|---|---|---|---|
| 🥇 1 | Apache Thrift | 670.0 | ✅ SELECTED |
| 🥈 2 | REST/JSON | 421.25 | External API layer |
| 🥉 3 | gRPC | 412.75 | Not production-ready (2014) |
| 4 | SOAP/XML | 355.0 | ❌ Rejected |
Final Decision
Selected Option: Apache Thrift
Rationale
Apache Thrift was selected as the internal RPC framework for SW360 based on:
Highest Weighted Score (670.0) - Significantly outperformed alternatives across all criteria
Critical FOSSology Integration - The highest-weighted criterion (10). Thrift’s native C/PHP support was the only option enabling FOSSology integration without requiring FOSSology to implement a new API
Superior Type Safety - Thrift IDL provides compile-time guarantees that prevent service interface drift:
service ComponentService { Component getComponentById(1: string id, 2: User user) throws (1: SW360Exception exp); }Complex Data Structure Support - Native handling of nested structures, optional fields, and collections essential for SW360’s data model
Production Readiness - Battle-tested at Facebook scale, unlike gRPC which wasn’t released until 2016
Implementation Notes
Thrift Files Location:
libraries/datahandler/src/main/thrift/
├── sw360.thrift # Common types, enums
├── components.thrift # Component, Release
├── projects.thrift # Project, ClearingRequest
├── licenses.thrift # License, Obligation
├── users.thrift # User, UserGroup
└── ...
Service Pattern:
// Handler implements Thrift interface
public class ComponentHandler implements ComponentService.Iface {
@Override
public Component getComponentById(String id, User user)
throws SW360Exception {
// Implementation
}
}
External API: REST/JSON layer to be added for external client access (cannot expose Thrift directly)
Review Triggers
This decision should be revisited if:
- FOSSology deprecates Thrift support
- gRPC becomes the industry standard with full PHP support
- Major Thrift vulnerabilities are discovered
- Team expertise in Thrift becomes unsustainable
Contributors
| Name | Role | Contribution |
|---|---|---|
| SW360 Architecture Team | Decision Makers | Requirements analysis, criteria weighting |
| FOSSology Team | Stakeholder | Integration requirements |
| Development Team | Implementers | Feasibility assessment |
Discussion & Brainstorming
Architecture Team - 2014
The key differentiator is FOSSology integration. Without Thrift, we would need to wait for FOSSology to implement REST APIs, which is outside our control and timeline.
Development Team - 2014
Concern: Learning curve for Thrift IDL. Mitigation: Create internal documentation and code examples. The code generation actually reduces overall development effort.
Operations - 2014
Binary protocol harder to debug. Recommendation: Implement detailed logging at service boundaries and consider JSON protocol for development environments.
Consequences Summary
Positive
- ✅ Strong typing with compile-time checking of service interfaces
- ✅ Efficient binary protocol for large payloads
- ✅ Clear contracts through IDL files as documentation
- ✅ Backward compatibility through optional fields
- ✅ Consistent data model across all layers
- ✅ FOSSology integration enabled immediately
Negative
- ⚠️ Learning curve for developers new to Thrift
- ⚠️ Build complexity with Thrift compiler dependency
- ⚠️ Binary protocol harder to inspect than JSON
- ⚠️ REST API needed for external client integration
Technical Debt Created
- External REST API layer needed for non-Thrift clients
- Thrift compiler must be maintained in CI/CD pipeline
Revision History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2014 | Architecture Team | Initial decision |
| 2.0 | April 2026 | Bibhuti Bhusan Dash | Reformatted to DAR/SWOT template |