I had originally mentioned that we want to use OpenID to authenticate the user, I now see that OpenID (v2) has fallen out of favor and is replaced with vendor specific authentication, e.g. Google, Facebook, etc. For our purposes we were only going to support Google anyway so now that would be Google+ Sign-In or the OpenID Connect protocol that it is based on instead of OpenID v2.
So my questions are still the same but the protocols have changed.
1. Using the container authentication approach does that work with OpenID Connect/Google+, etc. Does Tomcat support this? If not, others?
2. Is this the right way to incorporate security in a GWT app?
3. Or should I incorporate OpenID Connect support directly in my app?
4. If using the container approach, can I get some of the features I need, such as:
4a. Single user session (terminate prior sessions).
4b. User inactivity timeouts.
From the context of GWT I would really like to see some overall documentation on the various approaches to solving these issues, either from the container approach point of view or any other such as Spring security.