COMP 405
Spring 2014

Authentication in GAE
Home  Info  Owlspace  Java Resources  Eclipse Resources  SharePoint  Piazza

Restricting access

You can restrict access to a URL to only those clients that are logged in either as regualr Google users or administrators for your application.

All you need to do is add a login parameter to the URL route to that page.  For example:

  - url: /[url path]/*    # this covers all pages in the folder.
    # other parameters...
    login: admin

Your app can authenticate users using any one of 3 options:

 

Logging in and out

The following discussion covers the logging of a browser-based client into a server app, not one server app logging in to another server app.

The logging in and out process involves the creation of URLs to which clients are directed to perform the actual log in/out.    Embedded in this URL however is a second URL to which the user is automatically redirected after the log in/out is performed.   This process insures that the proper authenticating host is the one performing the log in/out but does it in a semi-transparent way to the application.

The following example only works on the server-side:

UserService userService = UserServiceFactory.getUserService();   // Get the User service
if (!userService.isUserLoggedIn()) {   // check if the user is already logged in
    String loginURL = userService.createLoginURL( logged_in_URL );   // The logged_in URL is often this page, since it can handle a logged in user.
    // direct the user to this login URL
} 
else {
    String logoutURL = userService.createLogoutURL( log_out_URL ) // log_out_URL is often the app's home page
    // Use this URL in a log out button or the like
    
    String userNickname = userService.getCurrentUser().getNickname(); // Get some info about the user
    // Do processing as per a logged in user
}

Authentication in GWT clients

Since authentication is fundamentally a server-side operation, you can't even import the com.google.appengine.api.users package in GWT client code.

Fundamentally, what one has to do is to go through the server to get any authentication information, e.g. user info, log in/out URLs, etc.   There are two ways to do this:

  1. In the GWT client's onModuleLoad(), make an RPC call to the server to get the necessary information.
  2. Use a regular servlet to serve up the GWT HTML page, inserting the authentication information as it returns its response to the user.

 

 

References:

 

 

© 2013 by Stephen Wong