This page describes ways to authenticate connections to Kweerie (mainly between KweerieClients and QueueManagers, but this could also be used to communicate with MetaDataServices or KweeriePlayers, etc.)

I'd suggest using some sort of negociation protocol, perhaps a modification of SPNEGO, to determine the methods supported by the server. And then use GSSAPI (if supported) with Kerberos tickets. This should be relatively easy to implement in a variety of languages and on a variety of platforms.

As an alternative to infrastructure based authentication, simple user passwords or a global group password can be used to keep others out. Of course, no authentication could be supported as well by simply using a blank group password.

Note that the authentication should be negociatable per-connection, not globally so that different channels between clients and servers can be secured as needed.

You can get some general information on SPNEGO at: http://en.wikipedia.org/wiki/SPNEGO and some general info on GSSAPI at: http://en.wikipedia.org/wiki/GSSAPI

You can get some info on Kerberos at: http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 and I'd suggest reading through http://web.mit.edu/kerberos/www/dialogue.html to gain an understanding of how Kerberos works.

It might also be useful to tie in the SharedSecret to this page. This is effectively the same thing as a shared group password, only it would be longish and randomly generated and typically only used by backend services and thus wouldn't need to be directly typed in by users. We could of course just use Kerberos principals for each service, but we'd need to pick names seperate for each service so as to not clobber simlar services running on the same host. Kerberos basically allows one service instance per physical IP address / hostname. We don't want to have this limitation, although it might make sense to limit kweerie to one of each type of service per host.