Single sign-on for jsp-website and applet

[adon_y_coya]

I have developed a jsp website (runs on tomcat) and the user logs in/out.
A part of the protected content involves a client/server minigame that runs on an applet and custom (nio) server.
They both share the same backend mySql database.

I'd like to have the player only login once, at the jsp login - then the applet should know who's playing and where to store the results etc.

The only way I've come up for doing it, is to have tomcat store the opened logined session in the database:
<username><password><status:logined><since:19239048566><ip:1.2.3.4>
When the applet loads, it connects on the custom java server, which looks up the IP info in the DB, and if status is 'logined' then the minigame starts.
If not, then it denies access to the applet and updates the record in the db (for web server's update).

Can anyone think of something better?

[Karmington]

people's ip:s change over time. Using that won't work long term...
I think pretty much all sites have accepted that a user must login,
and leave it to browsers to remember the name and password for automatic entrance.
I'm passing the login info to the applet as parameters, f.ex.
gokgs applet has login at the beginning, you cant even use browser memory for it.
I think either is acceptable.

EDIT: yep session data is the trick...
of course if you are just changing the ip every time user logins, no prob with that then,
or is it causing some trouble? main thing i see is that it's unnecessary server traffic...

[steveyO]

I pretty do the same as Karmington for my site.. When user logs on store their credentials in a session.
When they access the applet (in the restricted session) pass the credentials as applet parameters and use them for authenticating back to the server.

Games published by our own members! Check 'em out!

[adon_y_coya]

@Karmington:
Browsers remember things like that with cookies (but users have the option to disable them).
And how can an applet read the cookie?

@SteveyO:
So you just echo back to the client, in the html code that initiates the applet, the username/password that was initially entered?
Is this secure?

[Karmington]

Applet doesnt need to know password, surely.
Assume the login is valid, spawn the applet for the _unique_ username, or if not unique then need unique ID,
why pass the password anyway?

[steveyO]

Ok to explain a bit better,  in my jsp page I pass the following (am using JOGRE engine but the principle can be the same for any other client/server applet)

1   2   3   4   5   6

<applet archive="blah.jar" code="blah.class" width="800" height="500">    <param name="username"   value="steve"/>    <param name="password"   value="xxxxxx"/>    <param name="serverhost" value="xxx.xxx.xxx.xxx"/>    <param name="serverport" value="xxxx"/>                       </applet>

When the user first connects to the applet their credentials are validated against the server, and if so they can play the game.
The password isn't necessary, (in jogre you can just validate against the username).  Of course anyone can get the password by viewing the HTML Source Code so you need to consider this.

[adon_y_coya]

@steveyO:
OK, got it now.
There may be a security issue here, I wonder how can jogre just validate against the username.
side-note: Isn't the serverhost param superfluous? I mean applets are not allowed to connect to sites other than the ones that downloaded them, right?

@Karmington:
Appler is just a class in a jar, couldn't it have been loaded from outside the private context?
As from a saved in browser offline content?
So I assumed that on init() the applet will offer credentials again, instead of considering 'any' connecting applet to the server as 'trusted'.
I guess your proposal chimes with steveyO's, right?

On the IP issue: The IP is updated with each succesful jsp login, so no problem with dynamic IPs.
Cookie: how can an applet read one?

[Karmington]

has to go throught the jsp, dont think applet can directly access cookie.
http://www.quirksmode.org/js/cookies.html
I think we just used session data and parameter passing in our previous project.

[steveyO]

Yeah, in my case the serverhost is the IP address of my Server (otherwise, as you say the applet cannot connect, unless it is signed!).
The reason it is here is so I dont have to hard-code the IP address in the client applet code. Jogre has its own db table with its users so I guess it just validates against the username, although dont quote me,  its been about 10 months since I integrated the applets in my site.

[Riven]

Just use cookies...

And to get the sessionid in the HTML you either generate the page, or create some javascript that writes the sessionid in the applet->param node, using the DOM.