tags:

views:

76

answers:

2
+2  Q: 

Secure authentication with GWT and GAE over https?

I want to implement a custom user authentication system in my appengine app. I don't want to use sessions. I'm a newbie in this area, so I have two basic questions:

1: Is it secure to just send a username and password with every single RPC over https? What do I need to do to keep that username and password secure on the client end?

2: How do I tell GWT to use https when it makes its requests?

I don't know much about security, so please don't spare me any "obvious" details.

Thanks!

A: 

On GAE you can also use Google User Services API http://code.google.com/appengine/docs/java/users/overview.html . It's very intuitive and you won't need to know security details.

Ludovic  2010-09-10 14:29:27
Thanks, but I need more control than that API provides (I want to create my own users, not rely on an external authentication method).
Riley  2010-09-10 15:29:57
+1  A: 

Watching the process with firebug shows that all RPCs are happening over the same protocol that the host page was requested with. This seems to be required for same-site-origin rules, so I'm going to assume that my answers are

1: Yes, but it's slower

2: GWT automatically uses https when the host page was requested w/ https

Riley  2010-09-26 13:11:53

related questions

How would you implement a secure static login credentials system in Java?
Blocking https url's in a embedded gecko browser
Restrict Apache to only allow access using SSL for some directories
How to put up an off-the-shelf https to http gateway?
Rails SSL Requirement plugin -- shouldn't it check to see if you're in production mode before redirecting to https?
What's the best way to learn server RESTful code?
Force HTTPS. How is it possible?
How can I get LWP to validate SSL server certificates?
What must I do to make content such as images served over HTTPS be cached client-side?
What does a PHP developer need to know about https / secure socket layer connections?
What's a clean/simple way to ensure the security of a page?
Making sure a web page is not cached, across all browsers.
Best way in asp.net to force https for an entire site?
Any way to handle Put and Delete verbs in ASP.Net MVC?
Response.Redirect with POST instead of Get?
How to get the correct Content-Length for a POST request.
IIS7: HTTP->HTTPS Cleanly
[ASP.NET ERROR] The request was aborted: Could not create SSL/TLS secure channel.
Testing HTTPS files with MAMP
How do banks remember "your computer"?
Avoid traffic shaping by using ssh on port 443
Convince Firefox to send an If-Modified-Since header over HTTPS
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
Options for Google Maps over SSL