Maybe the question got lost in my research. I'm not from a Web background (C++ + video games), so this may be painfully obvious, but I want to know how people authenticate over non- HTTPS connections, specifically using GAE (Java).
My point is that any app that stores any sort of user specific data will need the user to log into their app. I've had a look around at various public sites, and watched the data going back and forth over the wire, and the results are surprising. A lot of public sites use basic auth over http, which surprises me. As I mention above, even Twitter doesn't use HTTPS in its default state for users loggin in, and same goes for their REST API. So, what do people do? I am going to look into OpenID and OAuth next. Cheers, Shane On Jun 13, 12:57 am, Isaac Truett <[email protected]> wrote: > I'm not sure what your question is. Do you have a specific question? > > You mentioned problems with HTTPS on GAE, which is probably a topic > more appropriate for the GAE group. As far as GWT is concerned, I > think you've already got the gist: HTTPS is a must-have for sending > passwords over a public network in anything that can come close to > being called a "secure" way. > > > > On Fri, Jun 12, 2009 at 7:46 AM, Shane<[email protected]> wrote: > > > I really wish I had an answer to this. > > > On Jun 10, 5:04 pm, Shane <[email protected]> wrote: > >> Sorry to keep talking to myself here, but I find what other sites are > >> doing really interesting, and pertinent to GAE because there doesn't > >> seem to be an agreed upon solution. > > >> Facebook uses a form for their logins that posts to an HTTPS url: > > >>https://login.facebook.com/login.php? > > >> So does Google for that matter. > > >> Twitter also allows forhttp://twitter.comandhttps://twitter.com, > >> although the default is plaint http, probably because https is slower > >> and more computationally expensive. > > >> So it looks like https is the most secure way, but I noticed that > >> Google App Engine doesn't allow SSL unless you are using a > >> *.appspot.com domain. > > >>http://code.google.com/appengine/docs/python/config/appconfig.html#Se... > > >> So if I have have my blah.mydomain.com pointing via DNS CNAME, to my > >> blah.appspot.com, I can't usehttps://blah.mydomain.com. > > >> All this just to not send the password to the server plain text. :| > > >> Cheers, > >> Shane > > >> On Jun 10, 4:15 pm, Shane <[email protected]> wrote: > > >> > I've actually just noticed that Twitter itself uses Basic Auth: > > >> >http://apiwiki.twitter.com/Authentication > > >> > It says OAuth is in development, but that Basic Auth won't be going > >> > anywhere for the foreseeable future. > > >> > The trouble is, Basic Auth is insecure: > > >> >http://en.wikipedia.org/wiki/Basic_access_authentication > > >> > "Although the scheme is easily implemented, it relies on the > >> > assumption that the connection between the client and server computers > >> > is secure and can be trusted. Specifically, the credentials are passed > >> > as plaintext and could be intercepted easily. The scheme also provides > >> > no protection for the information passed back from the server." > > >> > I am going to look around at other public web API's, but if a site as > >> > large as Twitter is content to use this system, should I be all that > >> > worried? > > >> > I would really like to know what experienced web programmers do here, > >> > either in GAE+GWT, or just generally. > > >> > Cheers, > >> > Shane > > >> > On Jun 10, 1:02 am, Shane <[email protected]> wrote: > > >> > > I've seen some pretty heated debates around the discussion boards > >> > > about this, but I haven't seen a solution that people decide on. > > >> > > Simply put, any application that I want to write will likely perform > >> > > some sort of mashup between other services, like Twitter. > > >> > > For me to do anything interesting, I need the user to enter their > >> > > Twitter username and password into a GWT client-side control on my > >> > > site, which I then send back to my app on running on GAE. I'll then > >> > > use the password to log into Twitter with their credentials and do > >> > > whatever if is I want to do, all the while not saving the users > >> > > password in plain text anywhere. I have no interest in holding onto > >> > > anyone's credentials. > > >> > > So what is the best way for me to do this? I am hearing people say > >> > > that anything short of HTTPS is a waste of time. > > >> > > I guess this also becomes the larger issue of authentication > >> > > generally, and I'm surprised there are still such heated discussions > >> > > on the subject. I thought it'd be a done deal by now. > > >> > > So, if anyone could point my in the right direction, in the context of > >> > > GWT+GAE, I'd much appreciate it. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
