Hi Jeff, I've been using Google Accounts for login in a GWT side project without any trouble (granted, I'm a little biased :-) I choose Google auth for exactly the reasons you mention. FYI, there are some classes in the Expenses GWT sample app that implement login with Google Accounts on GAE.
http://code.google.com/p/google-web-toolkit/source/browse/trunk/samples/expenses/src/main/java/com/google/gwt/sample/gaerequest/ /dmc On Tue, Feb 1, 2011 at 9:08 AM, Jeff Schwartz <[email protected]>wrote: > Hi all, > > I hope you don't mind me cross posting this to both the gwt and app engine > groups since I'd really like to get the opinions of users on both platforms. > > I'm in the middle of developing a gwt application on app engine. The > application's security requirements are that non members, meaning those that > haven't registered, are restricted to viewing only the application's public > 'page'. > > What I developed for authentication is home grown using my own login form, > client side cookies and a User entity with password and email address stored > in the application's data store. While my home grown implementation works > perfectly I am not comfortable with the security implications of cookies and > passing raw passwords to the server to authenticate my users. I also can not > use SSL at this time as financial constraints unfortunately prohibit any > expenditures on this project. > > As I place my users' privacy and security above all else I am therefore > looking to implement a better solution; one that would if possible eliminate > my responsibility altogether of having to store cookies and passwords and > transport them via HTTP when authenticating. > > One alternative that I am currently considering is using Google Accounts to > authenticate my users along with my own User entity that would store the > additional information users must provide when registering to use the > services of my application. My User entity (not to be confused with the User > object provided by the User API) would store the user's Google Account ID > and would provide the ability to determine if a user is registered simply by > querying for their Google Accounts ID in my datastore. It would eliminate > having to store client side cookies and sending raw passwords to the server. > So far it seems like a win-win proposition as it appears to satisfy all my > use cases. > > For those who already use Google Accounts for user authentication are you > happy with the service? How about the services' availability track record > and does it provide the security you had hoped it would? > > For those using Google Accounts along with GWT have you found any specific > issues related to using it with GWT (I am using RPC BTW) that you can > relate? > > I am looking forward to reading your feedback and responses and thanks in > advance. > > Jeff > > > > > -- > *Jeff Schwartz* > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-web-toolkit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > -- David Chandler Developer Programs Engineer, Google Web Toolkit w: http://code.google.com/ b: http://googlewebtoolkit.blogspot.com/ t: @googledevtools -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
