I'm not sure what your question is. Do you have a specific question? You mentioned problems with HTTPS on GAE, which is probably a topic more appropriate for the GAE group. As far as GWT is concerned, I think you've already got the gist: HTTPS is a must-have for sending passwords over a public network in anything that can come close to being called a "secure" way.
On Fri, Jun 12, 2009 at 7:46 AM, Shane<shanelstev...@gmail.com> wrote: > > I really wish I had an answer to this. > > On Jun 10, 5:04 pm, Shane <shanelstev...@gmail.com> wrote: >> Sorry to keep talking to myself here, but I find what other sites are >> doing really interesting, and pertinent to GAE because there doesn't >> seem to be an agreed upon solution. >> >> Facebook uses a form for their logins that posts to an HTTPS url: >> >> https://login.facebook.com/login.php? >> >> So does Google for that matter. >> >> Twitter also allows forhttp://twitter.comandhttps://twitter.com, >> although the default is plaint http, probably because https is slower >> and more computationally expensive. >> >> So it looks like https is the most secure way, but I noticed that >> Google App Engine doesn't allow SSL unless you are using a >> *.appspot.com domain. >> >> http://code.google.com/appengine/docs/python/config/appconfig.html#Se... >> >> So if I have have my blah.mydomain.com pointing via DNS CNAME, to my >> blah.appspot.com, I can't usehttps://blah.mydomain.com. >> >> All this just to not send the password to the server plain text. :| >> >> Cheers, >> Shane >> >> On Jun 10, 4:15 pm, Shane <shanelstev...@gmail.com> wrote: >> >> >> >> > I've actually just noticed that Twitter itself uses Basic Auth: >> >> >http://apiwiki.twitter.com/Authentication >> >> > It says OAuth is in development, but that Basic Auth won't be going >> > anywhere for the foreseeable future. >> >> > The trouble is, Basic Auth is insecure: >> >> >http://en.wikipedia.org/wiki/Basic_access_authentication >> >> > "Although the scheme is easily implemented, it relies on the >> > assumption that the connection between the client and server computers >> > is secure and can be trusted. Specifically, the credentials are passed >> > as plaintext and could be intercepted easily. The scheme also provides >> > no protection for the information passed back from the server." >> >> > I am going to look around at other public web API's, but if a site as >> > large as Twitter is content to use this system, should I be all that >> > worried? >> >> > I would really like to know what experienced web programmers do here, >> > either in GAE+GWT, or just generally. >> >> > Cheers, >> > Shane >> >> > On Jun 10, 1:02 am, Shane <shanelstev...@gmail.com> wrote: >> >> > > I've seen some pretty heated debates around the discussion boards >> > > about this, but I haven't seen a solution that people decide on. >> >> > > Simply put, any application that I want to write will likely perform >> > > some sort of mashup between other services, like Twitter. >> >> > > For me to do anything interesting, I need the user to enter their >> > > Twitter username and password into a GWT client-side control on my >> > > site, which I then send back to my app on running on GAE. I'll then >> > > use the password to log into Twitter with their credentials and do >> > > whatever if is I want to do, all the while not saving the users >> > > password in plain text anywhere. I have no interest in holding onto >> > > anyone's credentials. >> >> > > So what is the best way for me to do this? I am hearing people say >> > > that anything short of HTTPS is a waste of time. >> >> > > I guess this also becomes the larger issue of authentication >> > > generally, and I'm surprised there are still such heated discussions >> > > on the subject. I thought it'd be a done deal by now. >> >> > > So, if anyone could point my in the right direction, in the context of >> > > GWT+GAE, I'd much appreciate it. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
