tags:

views:

221

answers:

4
+3  Q: 

How authenticate Google wave gadget viewer on Appengine?

Imagine I want to create game "Rock-paper-scissors" for Google Waves. I am thinking to implement it as a Wave Gadget.

The idea is simple: all participants send their decisions to my cloud app (it is an Appengine Java Application), my server part collects this data and does not share to anybody until all participants complete their selection. After this the selection is shared to all participants and the winner is determined.

I can use wave.getViewer().getId() to identify user on the server during gadgets.io.makeRequest. I works perfectly. But how can I, on the server side, make sure that the incoming request is really from this specific wave user? (How can I approve that wave's participant id is not hacked on the client side? Any wave container signature allowing determine wave participant id is available?)

What are the best practices for google wave participant authentication on my appengine side? Please provide examples if possible.

My actual gadget is more complicated but the problem is as described above.

A: 

As far as I can tell there is no "easy" way of doing this because all the communication with gadgets is directly between the client and the gadget, without Google interference for anything but the gadget's XML description.

The only way I can think off the top of my head is to have your users "log in" to the gadget's iframe with the accounts feature of Google App Engine. This would ensure they are indeed whoever they log in as.

Ranieri  2009-12-21 15:14:03
+1  A: 

I would code against an imagined future solution that is baked directly into the Wave protocol or API and hope that nobody spoofs participant IDs. You could also contact the Wave team to make your need for the feature known and see if anyone else is looking for the same.

It looks like there is some OpenAuth integration already built-in for robots: http://wave-robot-java-client.googlecode.com/svn/trunk/doc/index.html

Would you be able to implement a robot instead of a gadget? Or maybe use a robot for auth and have the gadget interface with your own auth tokens server-side?

pavel.vodenski  2009-12-25 21:48:23
A: 

How can I approve that wave's participant id is not hacked on the client side?

How can a user hack his wave patricipant id? I think there's no problem, wave.getViewer().getId() should be right.

myfreeweb  2009-12-27 14:48:52
A: 

I think you'd want to look into making a wave ROBOT instead of a GADGET. There is a difference.

Robots are wave-aware, gadgets are not.

Wave Robot API: http://code.google.com/apis/wave/extensions/robots/

WedTM  2009-12-29 06:59:36

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java