views:

347

answers:

1

I am trying to write an application for google app engine that would be available only for myself. (I know it sounds strange..just for the time being) I am trying to write a Login servlet that would authenticate user using google's UserService and let the user into the app only if I login and would show a brief message prompting for logout for everyone else.

Here is the code I have written :

public class MainPageServlet extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse resp)
        throws IOException {
    resp.setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
    resp.setContentType("text/html");

    UserService userService = UserServiceFactory.getUserService();
        User user = userService.getCurrentUser();

        if (user != null) {

            if(user.getEmail().equals("[email protected]")) {
                resp.getWriter().println("done");
            }
            else {
                resp.getWriter().println("Hello, " + user.getNickname()+"<br>");
                resp.getWriter().println("Thanks for your interest. But this application is still not available to everybody.");
                resp.getWriter().println("<a href="+UserServiceFactory.getUserService().createLogoutURL(userService.createLoginURL(req.getRequestURI()))+">Log out</a>");
            }
        } else {
            resp.sendRedirect(userService.createLoginURL(req.getRequestURI()));
        }       
}

}

The code related to "driving away" all other users works fine. But I am facing problems when I login : After I login, it shows the message "done" as expected. However, after this, if I open some other google service and logout from there and again invoke this servlet, it still shows the message "done". I had expected that the app would prompt me for login again..which is not happening..I thought its happening because the result is getting cached and so disabled caching(1st line in the method)...but the problem persists even after that..whats wrong? How do I get the expected behavior?

+2  A: 

You don't. If you want the user to logout of your service, then they need to logout of your service (by you calling the logout method of UserManager). The fact that they share the username and password with other google services doesn't mean that logging out of those other services auto-logs them out of yours.

jsight
are you sure? thats not how google's own apps behave. if you have orkut and gmail open and if you sign out from either of the apps, google automatically signs you out of the other app as well. its single sign on. thought UserService would behave exactly the same way for user's apps as well..
Aadith
Orkut and Gmail are not App Engine apps. If you're unsure if caching is interfering, take a query string argument and print it out along with the 'done' message.
Nick Johnson
It would be pretty insecure for a user to just automatically be logged into your app because they were logged into other Google services. Imagine you logged into Gmail, then visited some random App Engine app via Google, and it was able to read your email address.
Danny Tuppeny
hmm..makes sense
Aadith