A google account is already an open-id: http://openid.net/get-an-openid/ <http://openid.net/get-an-openid/> -- Jan Vladimir Mostert BEngSci
Mail: j...@mycee.com MyCee Technologies On Tue, Feb 1, 2011 at 5:46 PM, Jeff Schwartz <jefftschwa...@gmail.com>wrote: > Thanks but I'd like to limit the discussion to Google Accounts. > > > On Tue, Feb 1, 2011 at 10:19 AM, Jan Mostert <j...@mycee.com> wrote: > >> Spring Security should take care of most of those requirements since it >> already has openID support built in, but that will require authentication to >> happen outside your GWT application (I'm a bit paranoid exposing my >> javascript if people aren't authenticated) and if you really need the login >> to be in GWT, Vaadin does some serverside magic that will allow you to build >> a secure login form using GWT. >> >> >> >> On Tue, Feb 1, 2011 at 4:08 PM, Jeff Schwartz <jefftschwa...@gmail.com>wrote: >> >>> Hi all, >>> >>> I hope you don't mind me cross posting this to both the gwt and app >>> engine groups since I'd really like to get the opinions of users on both >>> platforms. >>> >>> I'm in the middle of developing a gwt application on app engine. The >>> application's security requirements are that non members, meaning those that >>> haven't registered, are restricted to viewing only the application's public >>> 'page'. >>> >>> What I developed for authentication is home grown using my own login >>> form, client side cookies and a User entity with password and email address >>> stored in the application's data store. While my home grown implementation >>> works perfectly I am not comfortable with the security implications of >>> cookies and passing raw passwords to the server to authenticate my users. I >>> also can not use SSL at this time as financial constraints unfortunately >>> prohibit any expenditures on this project. >>> >>> As I place my users' privacy and security above all else I am therefore >>> looking to implement a better solution; one that would if possible eliminate >>> my responsibility altogether of having to store cookies and passwords and >>> transport them via HTTP when authenticating. >>> >>> One alternative that I am currently considering is using Google Accounts >>> to authenticate my users along with my own User entity that would store the >>> additional information users must provide when registering to use the >>> services of my application. My User entity (not to be confused with the User >>> object provided by the User API) would store the user's Google Account ID >>> and would provide the ability to determine if a user is registered simply by >>> querying for their Google Accounts ID in my datastore. It would eliminate >>> having to store client side cookies and sending raw passwords to the server. >>> So far it seems like a win-win proposition as it appears to satisfy all my >>> use cases. >>> >>> For those who already use Google Accounts for user authentication are you >>> happy with the service? How about the services' availability track record >>> and does it provide the security you had hoped it would? >>> >>> For those using Google Accounts along with GWT have you found any >>> specific issues related to using it with GWT (I am using RPC BTW) that you >>> can relate? >>> >>> I am looking forward to reading your feedback and responses and thanks in >>> advance. >>> >>> Jeff >>> >>> >>> >>> >>> -- >>> *Jeff Schwartz* >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Google Web Toolkit" group. >>> To post to this group, send email to google-web-toolkit@googlegroups.com >>> . >>> To unsubscribe from this group, send email to >>> google-web-toolkit+unsubscr...@googlegroups.com<google-web-toolkit%2bunsubscr...@googlegroups.com> >>> . >>> For more options, visit this group at >>> http://groups.google.com/group/google-web-toolkit?hl=en. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google Web Toolkit" group. >> To post to this group, send email to google-web-toolkit@googlegroups.com. >> To unsubscribe from this group, send email to >> google-web-toolkit+unsubscr...@googlegroups.com<google-web-toolkit%2bunsubscr...@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/google-web-toolkit?hl=en. >> > > > > -- > *Jeff Schwartz* > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to google-web-toolkit@googlegroups.com. > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com<google-web-toolkit%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.