Thanks gengstrand, Ill deal with your 3 options in turn: 1. "official App Engine options" a) use google accounts as a unified signon: This is how we are currently implementing, the problem is that if the potential customer/ user is not very technically savvy, and either doesnt have an email or only has a hotmail account, then setting up a google account is not at all straighforward and because it doesnt have any kind of API, it cant be integrated into your existing application, so the sign up and sign in processes are very disconnected from the non-google application. b) use google apps for your domain: This is a similar arguement for the above problem, fine if you are doing something inside your organisation, but if you are dealing with random basic internet users (eg everyone on facebook) then it is next to useless as an authentication option 2. The use of jBCrypt : This is fine for encrypting the password into the database on the server, but from reading a lot of other posts on this subject GWT does something funny when translating JBCrypt into javascript on the client, and renders it useless.
3. waiting for RPCAuth : This is no good for us, as we are currently live, and as i said above, Im looking for an "inhouse" alternative to google accounts as a unified login. It seems to me that Im still not getting a clear answer to my main question: "Given that I cant use SSL or HTTPS and I dont want to use a 3rd party login system, how safe is it to just send passwords in plain text to the server and then use JBCrypt on the server to encrypt the passwords when storing it?" On Feb 13, 6:55 pm, gengstrand <[email protected]> wrote: > First, take a look at this article and see if it covers your needs. > This is the official position on GAE and authentication. > > http://code.google.com/appengine/articles/auth.html > > If that's not going to cut it for you, then take a look > athttp://www.mindrot.org/projects/jBCrypt/ > > If you were using GWT and weren't going to deploy for a while, then > you might want to take a look > athttp://code.google.com/p/google-web-toolkit/wiki/RpcAuth > > I hope this helps. > > On Feb 12, 9:14 pm, John V Denley <[email protected]> wrote: > > > really no responses on this one? > > > On Feb 11, 11:19 pm, John V Denley <[email protected]> wrote: > > > > There are plenty of (fairly indepth & technical) conversations on here > > > about the use of passwords and how to send the data/password to the > > > server. > > > > It very much seems a consensus that unless you are using HTTPS/SSL > > > then its totally pointless doing anything on the client. > > > > Given that Google App Engine does not support HTTPS/SSL, what is > > > everyones opinion on this matter, what IS the best practice? > > > > As a side bar on this, up to now I have been using the google account > > > login to deal with all this, but have been getting a LOT of resistance > > > from my potential user community who get very lost and confused about > > > the process when having to create a google account, prior to being > > > able to create an account in my system, hence the "need" to look at > > > having my own security, which scares me as I dont know anything about > > > this subject, but I want my users logons/data to be safe and secure. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
