Authentication mechansim for java game client / mysql db

Question

I need to figure out how to best authenticate users which are connecting from a C++ game client, against a mySQL database on another server, and I plan on writing a java web service to accomplish this.

Security is of primary concern, I need to make sure that the data flowing across the wire is encrypted, so I'll be leveraging SSL (originally I thought about message level encryption using ws-security however I think it's too much overhead).

What I really need to figure out is what kind of authentication mechanism I should provide. These users will be supplying usernames and passwords, and will be issuing a web request to a service.

I haven't decided whether the service should be a traditional SOAP web service or a RESTful one. The whole idea behind rest is to make the server stateless, and since the client will basically be establishing a session with the service, I don't see a point in using REST here.

Having said all that, what I really need to nail down is how exactly to perform the handshake and how to persist the session.

Are there any popular frameworks out there that provide APIs to do this against a mySQL database?

Again the client will offer up a UN / PW to the server, which needs to decrypt them (SSL should take care of that), authenticate them against the account info stored in a mysql DB, and then return some kind of hash or something similar so that the user's session can persist or the user doesn't have to log in anymore to issue additional requests.

Could anyone recommend a framework / some reading material for me to glance over?

Answer 1

Keep things as simple as possible.

HTTP is already stateless, and the idea of a login followed by a continued session is well established (session cookie). Use this paradigm and you won't have any troubles.

You also get the benefit of a very light-weight and open communication protocol and many good libraries for easy serialization / deserialization of common REST payloads like JSON or XML.

REST also means that you can use the same server with other clients quite easily.

Answer 2

I'd take a look at oauth:

http://developers.sun.com/identity/reference/techart/restwebservices.html

A well established pattern is: 1. log in & receive an oauth token 2. store token in db with user's internal id (and any other data such as token expiration time you wish to store). 3. send token to client, client persists token 4. client sends token for all future requests 5. server fetches user info from token

This method should work well with any client language and any backend datastore.

Answer 3

I would recommend to use REST. As authorization framework you can use standard container's jdbc or file realms on JAAS. If login/password pair is successful, store them at client side. After that, you can perform requests with auth credential supplied per request. I used jersey client for this. For [de]serialization from/to XML/json XStream library "do all dat math". Have a nice day.