Hello Ikai, I guess many of us have the same problem. It would be good to have some general advice on that. Unfortunatly GAE only offers build in authentication for the admin users or for users within a apps domain.
So what I did is a simple table with the users gmail addresses that are allowed to access my app. If I can retrieve a user from the content and his/her email corresponds to the one I have saved, I let them in. UserServiceFactory.getUserService().getCurrentUser() If not I redirect them to the Google login page: response.sendRedirect(UserServiceFactory.getUserService().createLoginURL(redirect)); This solution works quite well but somehow I do not like it. I have the strong feeling that I build something that must already be there somehow. Also users have not the option to add my site as "trusted" so they have to log in whenever they come back to my page. I do not know how to work around that. The only advantage is that I can have alternatively the possibility for users to create an extra account on my site... You mentioned oauth and somewhere I read about friendconnect. I can not see how exactly that fits into the framework. Why cant we just have a google authentication build into GAE. With a users list as we do for the account admins and a simple rule to throw into the web.xml. +some way for users to self-register if the application developer wants that.This way no-one needs to reinvent the wheel. Does such a thing maybe already exist? Or is it on the road-map? Or is there a good approach you would advice? Thanks, Toby On Feb 22, 8:09 pm, "Ikai L (Google)" <ika...@google.com> wrote: > Providing a login inside a frame is a compromise you should never, ever > make. You're essentially training your users to be victims of phishing > attacks. By providing a login in a frame, you're essentially removing every > single security mechanism browsers provide to attempt to ensure users that > the site they are on is really the site they are on and not a password > stealing site. This is why many companies go out of their way to provide > OAuth:http://oauth.net- because this allows client developers a way to > authenticate users against another site's identity mechanism without having > users send their credentials to a potentially untrusted site itself. > > Granted, there's a bit of a disconnect on login, but this is a price we'll > have to pay just because this is one of the failings of browser security. > Savvy users have already caught on to this, and more and more mainstream > users will as well. This is a stopgap - when browsers are able to provide > native authentication mechanisms, we shouldn't have to do this anymore, but > we have a ways to go before this sort of thing will exist. > > On Sun, Feb 21, 2010 at 3:21 PM, John V Denley > <johnvden...@googlemail.com>wrote: > > > > > The frame works fine when logging in. If its a security risk please > > elaborate, Im onlt using Google accounts because I dont really know > > how to do my own security, and Im guessing that even using google via > > a frame is more secure than trying to do it myself! > > > When creating an account it does not take the user back to the > > original page as there is a total disconnect after the user clicks on > > the link in the email sent from google. Google have informed me that > > this is a known issue, but has a low priority (which is > > understandable). > > > I have now created what I think is a reasonable compromise. Only time > > will tell if our potential customers are ok with the process! > > > On Feb 18, 7:04 pm, Brian <bwa...@gmail.com> wrote: > > > You shouldn't use a frame. It is a security problem, and right of > > > google login code to break out of it. > > > > After they make a new account, if not using a frame, I believe it > > > forwards the user back to the page they were trying to go to. Seems to > > > work pretty well. > > > > On Feb 18, 8:40 am, John V Denley <johnvden...@googlemail.com> wrote: > > > > > I have been trying to leverage google accounts for security for my > > > > users, but the way its working is really preventing useability within > > > > my application, its very frustrating > > > > > Ive just spent the best part of the last week trying to get the google > > > > account login to work in an frame within my application. Ive run into > > > > a number of related issues (see other threads in the GWT group) which > > > > I have manage to work through finally. (Thanks to everyone who helped > > > > out and provided input) > > > > > However, I have just tried clicking on the "create an account now" > > > > link which is what will be used by any new user who doesnt currently > > > > have a google account, but the account creation window has "frame > > > > breakout" code on it, which takes my users away from my application > > > > again, and then after clicking on the email link to confirm thier new > > > > account, the user is NOT taken back to my application but are just > > > > congratulated for creating a google account. > > > > > The problem is that the user is then left thinking "now what do i do?" > > > > and several of the people we are talking to have just given up at that > > > > point! > > > > > Has anyone else successfully integrated Google accounts into their > > > > applications? > > > > > Should I create my own logins rather than using Google accounts? I > > > > have struggled with getting a consistent answer to the problem of how > > > > to send passwords to the server given that GAE doesnt support SSL or > > > > HTTPS yet. Everyone seems to say that any client side encoding is > > > > pointless, but it seems to me that some form of encoding has to be > > > > better than not encoding at all!! > > > -- > > You received this message because you are subscribed to the Google Groups > > "Google App Engine for Java" group. > > To post to this group, send email to > > google-appengine-j...@googlegroups.com. > > To unsubscribe from this group, send email to > > google-appengine-java+unsubscr...@googlegroups.com<google-appengine-java%2bunsubscr...@googlegroups.com> > > . > > For more options, visit this group at > >http://groups.google.com/group/google-appengine-java?hl=en. > > -- > Ikai Lan > Developer Programs Engineer, Google App > Enginehttp://googleappengine.blogspot.com|http://twitter.com/app_engine -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to google-appengine-j...@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
