I really wish I had an answer to this.
On Jun 10, 5:04 pm, Shane <shanelstev...@gmail.com> wrote:
> Sorry to keep talking to myself here, but I find what other sites are
> doing really interesting, and pertinent to GAE because there doesn't
> seem to be an agreed upon solution.
>
> Facebook uses a form for their logins that posts to an HTTPS url:
>
> https://login.facebook.com/login.php?
>
> So does Google for that matter.
>
> Twitter also allows forhttp://twitter.comandhttps://twitter.com,
> although the default is plaint http, probably because https is slower
> and more computationally expensive.
>
> So it looks like https is the most secure way, but I noticed that
> Google App Engine doesn't allow SSL unless you are using a
> *.appspot.com domain.
>
> http://code.google.com/appengine/docs/python/config/appconfig.html#Se...
>
> So if I have have my blah.mydomain.com pointing via DNS CNAME, to my
> blah.appspot.com, I can't usehttps://blah.mydomain.com.
>
> All this just to not send the password to the server plain text. :|
>
> Cheers,
> Shane
>
> On Jun 10, 4:15 pm, Shane <shanelstev...@gmail.com> wrote:
>
>
>
> > I've actually just noticed that Twitter itself uses Basic Auth:
>
> >http://apiwiki.twitter.com/Authentication
>
> > It says OAuth is in development, but that Basic Auth won't be going
> > anywhere for the foreseeable future.
>
> > The trouble is, Basic Auth is insecure:
>
> >http://en.wikipedia.org/wiki/Basic_access_authentication
>
> > "Although the scheme is easily implemented, it relies on the
> > assumption that the connection between the client and server computers
> > is secure and can be trusted. Specifically, the credentials are passed
> > as plaintext and could be intercepted easily. The scheme also provides
> > no protection for the information passed back from the server."
>
> > I am going to look around at other public web API's, but if a site as
> > large as Twitter is content to use this system, should I be all that
> > worried?
>
> > I would really like to know what experienced web programmers do here,
> > either in GAE+GWT, or just generally.
>
> > Cheers,
> > Shane
>
> > On Jun 10, 1:02 am, Shane <shanelstev...@gmail.com> wrote:
>
> > > I've seen some pretty heated debates around the discussion boards
> > > about this, but I haven't seen a solution that people decide on.
>
> > > Simply put, any application that I want to write will likely perform
> > > some sort of mashup between other services, like Twitter.
>
> > > For me to do anything interesting, I need the user to enter their
> > > Twitter username and password into a GWT client-side control on my
> > > site, which I then send back to my app on running on GAE. I'll then
> > > use the password to log into Twitter with their credentials and do
> > > whatever if is I want to do, all the while not saving the users
> > > password in plain text anywhere. I have no interest in holding onto
> > > anyone's credentials.
>
> > > So what is the best way for me to do this? I am hearing people say
> > > that anything short of HTTPS is a waste of time.
>
> > > I guess this also becomes the larger issue of authentication
> > > generally, and I'm surprised there are still such heated discussions
> > > on the subject. I thought it'd be a done deal by now.
>
> > > So, if anyone could point my in the right direction, in the context of
> > > GWT+GAE, I'd much appreciate it.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---
