I'm writing a web app using GWT and GAE (Java). I know GAE pretty
well, especially the Python version; I'm new to GWT and the Java
version of GAE.
I tried to set up my app so that the user had to be logged in to
access; from app.yaml.
application: myapp
version: 1
runtime: java
welcome_files:
- index.jsp
- index.html
handlers:
- url: /admin/*
# secure: always
login: admin
- url: /MyApp.html
# secure: always
login: required
This seems to generate a web.xml that has access restrictions on the
main page:
<security-constraint>
<web-resource-collection>
<url-pattern>/MyApp.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
As expected, when run under ant devmode I am required to fake-login
when I first go to the page. However I wanted the user to have a
logout url.
First, there seems to be no way to do this on the client, which seems
bizarre: how can it be that I have to hit the server just to generate
a URL so that the user can logout? However, not seeing an
alternative, I wrote an RPC service to do this.
I used an HTML element in GWT to put the link on the page; this seems
to work when I put links to google searches, etc. When I put the URL
to logout (which was generated to link the user back to the main page
which requires login (something I have done before with the Python
version of GAE without all the Ajax stuff) instead of getting asked to
login again (and then seeing the main page), I just get a 404 Not
found: /_ah/MyApp.html . I thought this was perhaps some effect of
the Chrome plugin running under devmode, so I actually compiled the
app and ran it as a compiled GAE app (dev_appserver.sh); exact same
problem.
Another odd effect is that under some circumstances (perhaps after
having just done the above) I go to the main page of my app and the
RPC service I wrote to get the logout URL for the user replies that
the user is not logged in.
Given the app.yaml configuration (which seems to correctly generate
the web.xml) to not even let the user see the page unless they are
logged in, how is it possible for that to even happen? Even if the
user is being correctly logged out (by the page when then says 404),
how can I ever go to my app main page and yet not be logged in?
Is this an Ajax effect where the user is logged out, but the page says
around (having already been rendered when the user was logged in) and
then the RPC hits the server and finds out that the user is now logged
out? If this is the case, then it seems rather pointless to restrict
access in the app.yaml / web.xml as I also have to check it every time
I get an RPC call anyway, right? (I suppose the app.yaml
configuration might save a few server round-trips the first time the
user visits the page?)
I'm running an up-to-date version of OS X 10.6.8 (x86).
My browser is Chrome: 16.0.912.63 (Official Build 113337)
$ java -version
java version "1.6.0_29"
Java(TM) SE Runtime Environment (build 1.6.0_29-b11-402-10M3527)
Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02-402, mixed mode)
I'm using gwt-2.4.0.
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
