It's not GAE - it's google - we sign URL's everywhere. Anotherwards - the User class generates a URL to www.google.com/accounts... and that URL contains a &continue=foo url parameter. Then the User class signs the entire thing and returns it to the app. In this particular case, the User class is a GAE thing, but signing google.com URL's is required companywide.
More technical details: That URL is only valid if it is not modified, so if I take out "foo" and substitute in something else, then the entire url (www.google.com/accounts...&continue=something_else...) is no longer valid (since it's &sig parameter is for a URL that has &continue=foo). So -what that means is that I have to have the value of the continue parameter when I generate the login url. The only way for me to have the continue parameter server side (as far as I can tell) - is to have it passed in by the client. On Wed, Aug 4, 2010 at 3:11 PM, Ray Ryan <[email protected]> wrote: > I guess this is okay if GAE will barf on "http://my.evil.other.place.com/."; > Is that what the signing you mentioned is about? > And it's a drag that we're sending two copies of the URL with the > UserInformationRequest, one in the header and one in the payload, but I Where is the URL in the payload? > don't see a quick way around that. > LGTM if I understand GAE's paranoia. If not we need to think some more. > > On Wed, Aug 4, 2010 at 2:52 PM, Unnur Gretarsdottir <[email protected]> > wrote: >> >> I don't claim to fully understand the request object, but as far as I >> can tell, the request object is the AJAX request (so for instance, >> request.getURL() will return "/gwtRequest". We need the URL for the >> page itself. Previously, I was just passing a placeholder to the >> authentication system, and then, on the client side, swapping that >> placeholder out for the current location before I did the redirect. >> However, in the "real" authentication system, the redirect URL is >> signed, so you you can't mess with it. >> >> - Unnur >> >> On Wed, Aug 4, 2010 at 2:45 PM, <[email protected]> wrote: >> > It's kind of surprising that the client is responsible for telling the >> > server what URL it's coming from. And why aren't the header and the >> > request parameter redundant? >> > >> > >> > http://gwt-code-reviews.appspot.com/740801/show >> > > > -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
