Implementing secure login
76 views
Skip to first unread message
Allen Holub
Feb 1, 2008, 6:24:38 PM2/1/08
to Google Web Toolkit
Is there an easy way to implement a secure login using https and GWT
that looks like many of the examples we've all seen where the login
window morphs into a logout button? Because of same-origin issues,
login panels such as this usually have to be implemented as iframes
that are loaded using https, and logging in typically forces a forward
to another (https) page altogether. A GWT app really wants to be a
single page that changes its appearance with state, however. Clearly,
forcing users to log into your site using https is unacceptable, as is
an automatic forward from an http to and https page.
Put another way, many threads on this site are concerned with making
an https RPC call from a page that was downloaded using http. That's
not possible because of same-origin issues, but it seems that what
most people want to do is download the page using http, login using
https, then continue to use https for RPC calls. Short of creating two
independent GWT apps that share code, is there any way to accomplish
this end?
A snippet of example code that would show us how to implement the full
login sequence in such a way that we end up back in the original page,
but under https rather than http, with the login panel replaced with a
logout button (and ideally, with the compiled GWT code cached properly
so that it wouldn't have to be downloaded twice) would be really
wonderful.
Thanks
that looks like many of the examples we've all seen where the login
window morphs into a logout button? Because of same-origin issues,
login panels such as this usually have to be implemented as iframes
that are loaded using https, and logging in typically forces a forward
to another (https) page altogether. A GWT app really wants to be a
single page that changes its appearance with state, however. Clearly,
forcing users to log into your site using https is unacceptable, as is
an automatic forward from an http to and https page.
Put another way, many threads on this site are concerned with making
an https RPC call from a page that was downloaded using http. That's
not possible because of same-origin issues, but it seems that what
most people want to do is download the page using http, login using
https, then continue to use https for RPC calls. Short of creating two
independent GWT apps that share code, is there any way to accomplish
this end?
A snippet of example code that would show us how to implement the full
login sequence in such a way that we end up back in the original page,
but under https rather than http, with the login panel replaced with a
logout button (and ideally, with the compiled GWT code cached properly
so that it wouldn't have to be downloaded twice) would be really
wonderful.
Thanks
davidroe
Feb 2, 2008, 2:25:28 AM2/2/08
to Google Web Toolkit
I've done this recently, although not yet as part of a GWT app,
however I can't see why that would be a factor.
the technique I used was to embed an iframe on the http://yoursite.com/app
that points to https://yoursite.com/login. the frame contains a form
that is also submitted back to https://yoursite.com/login, which
returns a redirect to http://yoursite.com/login?secureToken=abcdefghiklmnopqrstuvwxyz.
every time login is rendered, it is rendered differently
- the first time, it renders the login form
- the second time, it authenticates the login and returns a redirect
- the third time, it renders javascript that talks to the parent page
document.top.secureSignIn(secureToken);
finally, you still need to login, but now you can login using an AJAX
call, passing in the secure token, and let the back-end authenticate a
second time using that. therefore, you never have to leave the
original page, but rather show/hide the login iframe.
HTH,
/dave
however I can't see why that would be a factor.
the technique I used was to embed an iframe on the http://yoursite.com/app
that points to https://yoursite.com/login. the frame contains a form
that is also submitted back to https://yoursite.com/login, which
returns a redirect to http://yoursite.com/login?secureToken=abcdefghiklmnopqrstuvwxyz.
every time login is rendered, it is rendered differently
- the first time, it renders the login form
- the second time, it authenticates the login and returns a redirect
- the third time, it renders javascript that talks to the parent page
document.top.secureSignIn(secureToken);
finally, you still need to login, but now you can login using an AJAX
call, passing in the secure token, and let the back-end authenticate a
second time using that. therefore, you never have to leave the
original page, but rather show/hide the login iframe.
HTH,
/dave
Reply all
Reply to author
Forward
0 new messages