I've done this recently, although not yet as part of a GWT app,
however I can't see why that would be a factor.
the technique I used was to embed an iframe on the
http://yoursite.com/app
that points to
https://yoursite.com/login. the frame contains a form
that is also submitted back to
https://yoursite.com/login, which
returns a redirect to
http://yoursite.com/login?secureToken=abcdefghiklmnopqrstuvwxyz.
every time login is rendered, it is rendered differently
- the first time, it renders the login form
- the second time, it authenticates the login and returns a redirect
- the third time, it renders javascript that talks to the parent page
document.top.secureSignIn(secureToken);
finally, you still need to login, but now you can login using an AJAX
call, passing in the secure token, and let the back-end authenticate a
second time using that. therefore, you never have to leave the
original page, but rather show/hide the login iframe.
HTH,
/dave