2

我目前正在使用 java.net.* 下的类为我正在创建的 MMORPG 开发 Java 应用程序。它将与 Unity3D 游戏连接(使用 TCP 的 .NET 套接字)。我不确定如何处理玩家的登录/身份验证。

建议?我正在考虑通过 https 上的安全表单来处理身份验证,在数据库中创建和存储临时登录密钥,然后将密钥发送回客户端,分配他们一分钟使用随机生成的密钥连接到游戏服务器. 这是一个安全可靠的解决方案,还是我能做的更好?

服务器类

import java.io.IOException;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.util.ArrayList;

public class Server extends Thread {

    public static final int MAX_CLIENTS = 500;

    private ServerSocket listener;
    protected ArrayList<Client> clients;

    public Server(int listenPort) throws IOException {
        listener = new ServerSocket(
                listenPort, MAX_CLIENTS,
                InetAddress.getLocalHost()
        );

        clients = new ArrayList<Client>();
    }

    @Override
    public void run() {
        while (true) {
            try {
                Socket socket = listener.accept();
                Client client = new Client(socket, this);
                clients.add(client);

                new Thread(client).start();
            } catch (IOException e) {}
        }
    }

    public static void main(String[] args) throws IOException {
        new Server(4428).start();
    }
}

客户端类

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.net.Socket;

public class Client implements Runnable {

    private Socket socket;
    private Server server;
    private BufferedReader in;
    private PrintWriter out;

    public Client(Socket sock, Server serv) {
        socket = sock;
        server = serv;
        in = null;
        out = null;
    }

    @Override
    public void run() {
        try {
            in = new BufferedReader(new InputStreamReader(socket.getInputStream()));
            out = new PrintWriter(socket.getOutputStream(), true);

            while (true) {
                // Read Data with read()
            }
        } catch (IOException e) {}
    }

    public void read() throws IOException {
    }

    public void send(String data) {
    }
}
4

1 回答 1

2

I would recommend using HTTPS for login and for important account actions (buy/sell/transfer items). When the client logins to the server over HTTPS the server should generate a long (64-128 bytes) random session id that is stored in the database. Also generate a temporary one-time authentication token (long random value) for the client's TCP connection.

The reason for using HTTPS is to help stop MITM attacks from stealing the users in game assets.

If the traffic between client & server is low you could use a TLS socket instead of a normal TCP socket. Just make sure to have the client validate(Signed by a trusted CA and that the domain matches) the server's certificate.

Even if you use HTTPS for important actions a MITM attack could still mess with the users actions (moving, attacking, chat) or change what the user sees (hide monsters or other users).

于 2013-05-27T02:15:57.673 回答