Trejkaz wrote: > The next aspect is some kind of basic authentication. Really, what I > want is just a secret key that the client has to pass in in order to > get access to my remote objects. But, I don't want to have to add that > secret key to every method. If your communications is of the (essentially) non-connected variety, example being HTTP, I don't see getting around passing an access "key" with each call. I think "the way" involves a process like this: - client requests a salt from the server - server leases a salt to the client (good for 20 minute, for example) - the client hashes the password, adds the salt to that, and hashes it again - the client sends this to the server with each request, along with the salt used - the server checks that the salt is not expired - the server verifies the hash-salt-hash using the same hash-salt-hash algorithm We've used this basic procedure on several systems. It's pretty good. The hashing we use is the 128-bit MD5 hash.