Is WS-Security or REST+SSL a scalable authentication platform?

Zachary Carter
  • Is WS-Security or REST+SSL a scalable authentication platform? Zachary Carter

    I'm trying to find a solid architecture for authenticating users against a database. I have a game client, which I plan to serve up a request with. The transport doesn't really matter, but at this point I'm thinking HTTP and leveraging either SSL or WS-Security to ensure the encryption of data over the wire.

    I'd like to avoid middle-man attacks if possible so I'm leaning towards WS-Security even though I know it costs more in terms of overhead.

    On the service side, I'd like to use an authentication framework such as Apache Shiro to authenticate users against a MySQL database. I'm not sure if I can leverage the session features or not, as I haven't looked that for into it, but it'd be great if I could.

    It will probably be a mix of storing some session information in the database and if I can leverage Shiro's session features then that's a bonus.

    My real question is about the handshake between the client and server. If I use WS-Security isn't all that taken care of for me? Does that alone make the overhead worth it?

    If not, what should I do here? I want to make sure all of the requests from the client are authenticated but I also don't want to have to jump through hoops to make it happen. Would something as simple as HTTP digest authentication work here?

    One constraint I have is access to libraries. If it's not free and can't be used in a commercial product then I can't leverage it. My client is going to be written in C++ and I can use whatever language makes it easiest (I'm leaning towards Java) to make it happen on the server side.

    I plan on adding support for users to purchase in-game items through micropayments down the road, so this handshake mechanism definitely needs to be secure.

    I keep hearing people suggest REST + SSL, and to examine Amazon's Signing and Authenticating REST Requests page. Is that a viable alternative? If I used that and something like Apache Shiro would I have a winner?

  • SSL is not vulnerable to MITM, unless the client machine has malicious root CA certificates installed (in which case you can't do anything at all as you might as well assume that the entire client is compromised). If you get a certificate from a proper CA like Verisign you will be assured that any communications with your server will be secure (except in academic situations like quantum computing). If you use an encrypted channel during the authentication phase you can use whatever serialization/communication paradigm you want (REST, Protobuf, etc.).

    In other words all you need to do at the end of the day is make sure that the passwords are salted and hashed in your DB, preferably double-salted so that your client 'remember password' functionality can store a salted hash on the hard-drive; instead of a clear-text password.

    Alternatively you could look into:

    • SRP which doesn't need to occur over a secure medium.
    • Mutually-authenticated TLS/SSL (using a client certificate). The nice thing with this is that it enables offline (LAN) scenarios as clients can authenticate with each-other without the presence of your authentication server.

    WS-Security is primarily geared toward federated services, i.e. cross-enterprise, (as are most of the WS-I extensions) - which is probably not a concern for you. At any rate the WS-Security has the associated overhead of SOAP (and the underlying frameworks/marshalling needed to handle SOAP calls). SOAP is a very heavy protocol and is probably an very poor choice for game development. I would avoid this entirely.

Tags
c++ authentication
Related questions and answers
  • with the Physics correctly... So my main question is: What would be a good combination of libraries to make an online game with? Im sure that many people have good combinations of libraries for making a game...Lately I have been working on a game that i plan to make online. I have used different libraries to make this game as far as i could, but I feel that I should rethink on how Im sertting this game up... better. I would also like compatability, If Theres one that fits DirectX(at least 9) and OpenGL, then that would be good) 2D Graphics(I liked SFML, so it its possible to get something that works with SFML

  • to be moved then so be it), but i felt it would fit here just a bit, since its a game-dev type question. Anyways, My compiler is MinGW that uses the IDE Code::Blocks. also the operating system that im using on both computers are windows Vista 32 bit. Now if anyone would know why this would happen then please do tell(but my guess is that maybe the graphics card is not compatible) Here... errors on request through comment). But as of now the main problem is when i render my model(it is a plane with simple, unblended pixelated texture), it looks like this on my Laptop(Left Image

  • I'm creating an FPS game. I'm writing my own game engine. So far all the backend stuff is going great. I'd like to support md2 as the native file format for 3D Objects, but I also want to use skeletal meshes. Does anyone know if the md2 file format supports skeletal meshes? In-case you need to know, I'm going to use blender as my Mesh creation tool and C++ as my programming language... Thanks For got to mention, the engine is based on OpenGL... Alright, for anyone who is reading this, I just found the Doom 3 md5 specifications (http://tfc.duke.free.fr/coding/md5-specs-en.html). It gives

  • know if my speculations are ok, as I don't have much experience with 3d animations yet. I want to make a well decision as any option I choose would require a lot of work to get it to render and I... I was thinking about making smaller structures with the fTime variable each so I can have attribute keyframes, light keyframes and buffer keyframes, then make the node structure look like...well... I'm building the animation system of my game engine (the skeletal and skinned animation stuff), and I came to a point where I added so much functionality in the frame and node structures

  • I'm trying to use PhysX for my physics engine. I'd like to use spherical joints, but I'm having trouble with the constraints. All of the examples that I've found refer to SDK v2.8. I'd like to stick with v3.0. Even the PhysX support center uses deprecated APIs. There's a tutorial at the support center (Ch 4 - Grass) that I'm trying to imitate. Converting that code to the current API has been problematic. NxSphericalJointDesc is deprecated. How do you specify equivalent constraints to those found in the tutorial? There's another post that talks about a similar problem.

  • Since building a game is not about 2D anymore, I just want to build a list of the (not necessarily best, but good enough) open source software available to make games. I prefer to put emphasis on libraries that insist on specializing on one part of what makes a game (like Ogre does for graphics, and OpenSteer does for steering), rather than engines/libraries that try to feature a lot of different features. 3D Graphics: OGRE3D http://www.ogre3d.org/ Irrlicht http://irrlicht.sourceforge.net/ Sound: IrrKlang http://www.ambiera.com/irrklang/ Found this: http://wiki.gamedev.net

  • Collision Resolution ultifinitus

    Hey all, I'm making a simple side-scrolling game, and I would appreciate some input! My collision detection system is a simple bounding box detection, so it's really easy to implement. However my... the object that I've already sunk into, my object's position is resolved to it's original position... All this is great, and I'm sure if I bang my head against a wall long enough i'll come up with a working algorithm, but I'd rather not =). So what in the heck do you think I should do? How could I change my collision resolution system to fix this? Here's the program (temporary link, not sure how

  • Ive been reteaching myself opengl so I can make a game on android. However Ive been struggling with how to build objects and scenes in opengl using c/c++ and passing them through the jni to the virtual machine where android can use them. Can some one point me towards some tutorials that actually show the use of natively built objects being created and passed through to the jni. Im fine using c++ or java I just dont have much experience using the jni. Ive built some sample projects where I pass primitives like floats and perform operations on them on the native side and then passed them back

  • not seem to have joystick input support, which would require that SDL or some other library also be used. So my question can be summed up as this: What is the best way to get SVG and joystick...I'm looking into building a cross-platform opensource 2D RPG style game engine for ChaiScript. I want to be able to do all of the graphics with SVG and need joystick input. I also need the libraries I use to be opensource and compatible with the BSD license. I'm familiar with allegro, ClanLib, and SDL. As far as I can tell, none of these libraries have built in or obvious integration for SVG

Data information