Trejkaz wrote:
> The next aspect is some kind of basic authentication.  Really, what I
> want is just a secret key that the client has to pass in in order to
> get access to my remote objects.  But, I don't want to have to add that
> secret key to every method.

If your communications is of the (essentially) non-connected variety,
example being HTTP, I don't see getting around passing an access "key"
with each call.

I think "the way" involves a process like this:
- client requests a salt from the server
- server leases a salt to the client (good for 20 minute, for example)
- the client hashes the password, adds the salt to that, and hashes it
again
- the client sends this to the server with each request, along with the
salt used
- the server checks that the salt is not expired
- the server verifies the hash-salt-hash using the same hash-salt-hash
algorithm

We've used this basic procedure on several systems. It's pretty good.
The hashing we use is the 128-bit MD5 hash.