I am writing a plugin for the popular Minecraft server software, Bukkit.
My plugin will require sending player scores to my server, to work out a global leaderboard.
Seeing as Java can be decompiled, someone can decompile the plugin, and find out how it works (It’s open source anyway). I am looking for a method of sending data to my server (player scores), in such a way so it can not be spoofed, and the leaderboards cannot be rigged.
I was considering making the plugin’s users (server owners) sign up to the leaderboards site, and then use their own username/password combination to connect to my leaderboards. If it was abused, I could simply block that server from the leaderboards. This is not the most efficient method however, as I would have to administrate the joins and approve the amount of kills.
How would I go about making sure the client (Bukkit Server Plugin) can’t spoof kills?
If your concern is that a legitimate user is educated enough to decompile your jar, understand your code and figure out how to send wrong data from your plugin, authentication methods are of no use (the user is already legitimate) and I assume the logic that calculates what you want can not reside in the server. In this case your best option would be to obfuscate your code