As you guessed, the GWT-REST module does not include authentication
mechanisms as many are possible in the context of a REST architecture.
It really comes down to this: for each HTTP request, check user
permissions for a given operation against a resource on the server
side. If they are not authorized, return an HTTP 401 and GWT-REST will
call the onError method of your ResponseHandler so that you can react
appropriately. You may want to alter the scenario slightly for users
who have not yet logged in, redirecting them to your login page.
As for my login screen, I use OpenID, creating a Session resource and
redirecting to the GWT interface if successful. Upon logout, the
Session resource is destroyed.
The above discussion mostly relates to REST with GWT in general which
is probably appropriate for this group. However, if you have more GWT-
REST-specific questions, please join the new GWT-REST Google Group:
http://groups.google.com/group/gwt-rest
-Jon