Authenticating a Java Web Start Client App

Question

I have a Java Web Start Application which communicates against my server via a web service (over https). I want to restrict the usage of the webservice to my app only, so that 3rd party apps don't work.

What strategies to I have? This question is somewhat broad, but running in JWS disables some options, like doing a checksum over all jars (at least I don't know a way of doing this in a JWS environment).

I can always implement my own auth scheme, but since the client code is on the client-side, one can always disassemble the class files and crack the auth mechanism.

Answer 1

Remember that if the client is communicating with the server over https, the user can easily replace the JWS client with something else that also communicates over https. Anything the JWS client could sent to "prove" its identity could be faked pretty easily. You could use client certificates (or numerous other types of authentication) to make sure only users with access to the JWS client could connect, but they will always be able to extract what they need from the JWS client to connect with something else.

The service needs to be secured based on what the user should be allowed to do.