For what you're doing and the limitations you have mentioned, I would go with OpenID, that way you rely on third parties to do the authentication, and I think in most cases it will use https. I have used Spring Security to quickly setup openID as an authentication method (although I have never run within appspot, so can't help with specifics for your case).
On Jun 12, 11:45 am, Shane <[email protected]> wrote: > Maybe the question got lost in my research. > > I'm not from a Web background (C++ + video games), so this may be > painfully obvious, but I want to know how people authenticate over non- > HTTPS connections, specifically using GAE (Java). > > My point is that any app that stores any sort of user specific data > will need the user to log into their app. I've had a look around at > various public sites, and watched the data going back and forth over > the wire, and the results are surprising. A lot of public sites use > basic auth over http, which surprises me. As I mention above, even > Twitter doesn't use HTTPS in its default state for users loggin in, > and same goes for their REST API. > > So, what do people do? I am going to look into OpenID and OAuth next. > > Cheers, > Shane > > On Jun 13, 12:57 am, Isaac Truett <[email protected]> wrote: > > > I'm not sure what your question is. Do you have a specific question? > > > You mentioned problems with HTTPS on GAE, which is probably a topic > > more appropriate for the GAE group. As far as GWT is concerned, I > > think you've already got the gist: HTTPS is a must-have for sending > > passwords over a public network in anything that can come close to > > being called a "secure" way. > > > On Fri, Jun 12, 2009 at 7:46 AM, Shane<[email protected]> wrote: > > > > I really wish I had an answer to this. > > > > On Jun 10, 5:04 pm, Shane <[email protected]> wrote: > > >> Sorry to keep talking to myself here, but I find what other sites are > > >> doing really interesting, and pertinent to GAE because there doesn't > > >> seem to be an agreed upon solution. > > > >> Facebook uses a form for their logins that posts to an HTTPS url: > > > >>https://login.facebook.com/login.php? > > > >> So does Google for that matter. > > > >> Twitter also allows forhttp://twitter.comandhttps://twitter.com, > > >> although the default is plaint http, probably because https is slower > > >> and more computationally expensive. > > > >> So it looks like https is the most secure way, but I noticed that > > >> Google App Engine doesn't allow SSL unless you are using a > > >> *.appspot.com domain. > > > >>http://code.google.com/appengine/docs/python/config/appconfig.html#Se... > > > >> So if I have have my blah.mydomain.com pointing via DNS CNAME, to my > > >> blah.appspot.com, I can't usehttps://blah.mydomain.com. > > > >> All this just to not send the password to the server plain text. :| > > > >> Cheers, > > >> Shane > > > >> On Jun 10, 4:15 pm, Shane <[email protected]> wrote: > > > >> > I've actually just noticed that Twitter itself uses Basic Auth: > > > >> >http://apiwiki.twitter.com/Authentication > > > >> > It says OAuth is in development, but that Basic Auth won't be going > > >> > anywhere for the foreseeable future. > > > >> > The trouble is, Basic Auth is insecure: > > > >> >http://en.wikipedia.org/wiki/Basic_access_authentication > > > >> > "Although the scheme is easily implemented, it relies on the > > >> > assumption that the connection between the client and server computers > > >> > is secure and can be trusted. Specifically, the credentials are passed > > >> > as plaintext and could be intercepted easily. The scheme also provides > > >> > no protection for the information passed back from the server." > > > >> > I am going to look around at other public web API's, but if a site as > > >> > large as Twitter is content to use this system, should I be all that > > >> > worried? > > > >> > I would really like to know what experienced web programmers do here, > > >> > either in GAE+GWT, or just generally. > > > >> > Cheers, > > >> > Shane > > > >> > On Jun 10, 1:02 am, Shane <[email protected]> wrote: > > > >> > > I've seen some pretty heated debates around the discussion boards > > >> > > about this, but I haven't seen a solution that people decide on. > > > >> > > Simply put, any application that I want to write will likely perform > > >> > > some sort of mashup between other services, like Twitter. > > > >> > > For me to do anything interesting, I need the user to enter their > > >> > > Twitter username and password into a GWT client-side control on my > > >> > > site, which I then send back to my app on running on GAE. I'll then > > >> > > use the password to log into Twitter with their credentials and do > > >> > > whatever if is I want to do, all the while not saving the users > > >> > > password in plain text anywhere. I have no interest in holding onto > > >> > > anyone's credentials. > > > >> > > So what is the best way for me to do this? I am hearing people say > > >> > > that anything short of HTTPS is a waste of time. > > > >> > > I guess this also becomes the larger issue of authentication > > >> > > generally, and I'm surprised there are still such heated discussions > > >> > > on the subject. I thought it'd be a done deal by now. > > > >> > > So, if anyone could point my in the right direction, in the context > > >> > > of > > >> > > GWT+GAE, I'd much appreciate it. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
