To tidy up this thread I'd like to report that I have successfully implemented Google Accounts authentication in Love My Vehicle On The Web at http://lovemyvehicle.appspot.com/. I am sorry to say, though, that I had to completely purge the datastore at the same time (the requirements for my previous home grown approach were much different than what was needed by using Google Accounts so it really required new schemas to match the use case) so anyone who had previously registered to to check out the progress I am making on the application's development will have to register again but this time with Google Accounts. I apologize but I think you will agree that using the secure services of Google Accounts going forward greatly outweighs this minor inconvenience.
BTW, I implemented Google Accounts without resorting to using JSP and HttpServlet. Instead, I was able to implement the service using RPC and RemoteServiceServlet. If anyone is interested in getting more details on this please let me know and if there are enough requests I will contribute an article covering the subject on my Blog at http://lovemyvehicle.blogspot.com/. Jeff On Tue, Feb 1, 2011 at 9:08 AM, Jeff Schwartz <jefftschwa...@gmail.com>wrote: > Hi all, > > I hope you don't mind me cross posting this to both the gwt and app engine > groups since I'd really like to get the opinions of users on both platforms. > > I'm in the middle of developing a gwt application on app engine. The > application's security requirements are that non members, meaning those that > haven't registered, are restricted to viewing only the application's public > 'page'. > > What I developed for authentication is home grown using my own login form, > client side cookies and a User entity with password and email address stored > in the application's data store. While my home grown implementation works > perfectly I am not comfortable with the security implications of cookies and > passing raw passwords to the server to authenticate my users. I also can not > use SSL at this time as financial constraints unfortunately prohibit any > expenditures on this project. > > As I place my users' privacy and security above all else I am therefore > looking to implement a better solution; one that would if possible eliminate > my responsibility altogether of having to store cookies and passwords and > transport them via HTTP when authenticating. > > One alternative that I am currently considering is using Google Accounts to > authenticate my users along with my own User entity that would store the > additional information users must provide when registering to use the > services of my application. My User entity (not to be confused with the User > object provided by the User API) would store the user's Google Account ID > and would provide the ability to determine if a user is registered simply by > querying for their Google Accounts ID in my datastore. It would eliminate > having to store client side cookies and sending raw passwords to the server. > So far it seems like a win-win proposition as it appears to satisfy all my > use cases. > > For those who already use Google Accounts for user authentication are you > happy with the service? How about the services' availability track record > and does it provide the security you had hoped it would? > > For those using Google Accounts along with GWT have you found any specific > issues related to using it with GWT (I am using RPC BTW) that you can > relate? > > I am looking forward to reading your feedback and responses and thanks in > advance. > > Jeff > > > > > -- > *Jeff Schwartz* > > -- *Jeff Schwartz* -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
