I'm not sure what your question is. Do you have a specific question?

You mentioned problems with HTTPS on GAE, which is probably a topic
more appropriate for the GAE group. As far as GWT is concerned, I
think you've already got the gist: HTTPS is a must-have for sending
passwords over a public network in anything that can come close to
being called a "secure" way.


On Fri, Jun 12, 2009 at 7:46 AM, Shane<shanelstev...@gmail.com> wrote:
>
> I really wish I had an answer to this.
>
> On Jun 10, 5:04 pm, Shane <shanelstev...@gmail.com> wrote:
>> Sorry to keep talking to myself here, but I find what other sites are
>> doing really interesting, and pertinent to GAE because there doesn't
>> seem to be an agreed upon solution.
>>
>> Facebook uses a form for their logins that posts to an HTTPS url:
>>
>> https://login.facebook.com/login.php?
>>
>> So does Google for that matter.
>>
>> Twitter also allows forhttp://twitter.comandhttps://twitter.com,
>> although the default is plaint http, probably because https is slower
>> and more computationally expensive.
>>
>> So it looks like https is the most secure way, but I noticed that
>> Google App Engine doesn't allow SSL unless you are using a
>> *.appspot.com domain.
>>
>> http://code.google.com/appengine/docs/python/config/appconfig.html#Se...
>>
>> So if I have have my blah.mydomain.com pointing via DNS CNAME, to my
>> blah.appspot.com, I can't usehttps://blah.mydomain.com.
>>
>> All this just to not send the password to the server plain text.  :|
>>
>> Cheers,
>> Shane
>>
>> On Jun 10, 4:15 pm, Shane <shanelstev...@gmail.com> wrote:
>>
>>
>>
>> > I've actually just noticed that Twitter itself uses Basic Auth:
>>
>> >http://apiwiki.twitter.com/Authentication
>>
>> > It says OAuth is in development, but that Basic Auth won't be going
>> > anywhere for the foreseeable future.
>>
>> > The trouble is, Basic Auth is insecure:
>>
>> >http://en.wikipedia.org/wiki/Basic_access_authentication
>>
>> > "Although the scheme is easily implemented, it relies on the
>> > assumption that the connection between the client and server computers
>> > is secure and can be trusted. Specifically, the credentials are passed
>> > as plaintext and could be intercepted easily. The scheme also provides
>> > no protection for the information passed back from the server."
>>
>> > I am going to look around at other public web API's, but if a site as
>> > large as Twitter is content to use this system, should I be all that
>> > worried?
>>
>> > I would really like to know what experienced web programmers do here,
>> > either in GAE+GWT, or just generally.
>>
>> > Cheers,
>> > Shane
>>
>> > On Jun 10, 1:02 am, Shane <shanelstev...@gmail.com> wrote:
>>
>> > > I've seen some pretty heated debates around the discussion boards
>> > > about this, but I haven't seen a solution that people decide on.
>>
>> > > Simply put, any application that I want to write will likely perform
>> > > some sort of mashup between other services, like Twitter.
>>
>> > > For me to do anything interesting, I need the user to enter their
>> > > Twitter username and password into a GWT client-side control on my
>> > > site, which I then send back to my app on running on GAE.  I'll then
>> > > use the password to log into Twitter with their credentials and do
>> > > whatever if is I want to do, all the while not saving the users
>> > > password in plain text anywhere.  I have no interest in holding onto
>> > > anyone's credentials.
>>
>> > > So what is the best way for me to do this?  I am hearing people say
>> > > that anything short of HTTPS is a waste of time.
>>
>> > > I guess this also becomes the larger issue of authentication
>> > > generally, and I'm surprised there are still such heated discussions
>> > > on the subject.  I thought it'd be a done deal by now.
>>
>> > > So, if anyone could point my in the right direction, in the context of
>> > > GWT+GAE, I'd much appreciate it.
> >
>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Google Web Toolkit" group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to 
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to