Ulf Dittmer wrote:
If implementing login functionality is deemed too much work, then I'd guess that client-side SSL would also be too much work.
If one uses just the IP address as an identification then one needs to register that IP address so there has to be some form of registration. For one client I used a WebStart application with a registration section which generated a client RSA key pair and sent a CSR to the system admin who checked the credentials of the registrant and, if valid, created a signed certificate which was sent (email) back to the client. The server stored the certificate in a MySQL database and the client stored the certificate in a specific location on the hard disk. Sounds complicated but it was not. The biggest difficulty was getting the client to store the signed certificate in the required location; this may not be necessary on a local area network if the system admin can administer a client's computer. I implemented a registration prototype for both ends for this in just one day and the final version together with all the associated JSSE comms API and database DAO in just a week (others wrote the rest of the application taking several months).
If a minimal client registration procedure such as this is too much for the OP then I doubt he has anything worth protecting!