I'm writing a web app using GWT and GAE (Java). I know GAE pretty well, especially the Python version; I'm new to GWT and the Java version of GAE.
I tried to set up my app so that the user had to be logged in to access; from app.yaml.
application: myapp
version: 1
runtime: java
welcome_files:
- index.jsp
- index.html
handlers:
- url: /admin/*
# secure: always
login: admin
- url: /MyApp.html
# secure: always
login: required
This seems to generate a web.xml that has access restrictions on the main page:
<security-constraint>
<web-resource-collection>
<url-pattern>/MyApp.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
As expected, when run under ant devmode I am required to fake-login when I first go to the page.
However I wanted the user to have a logout url.
First, there seems to be no way to do this on the client, which seems bizarre: how can it be that I have to hit the server just to generate a URL so that the user can logout? However, not seeing an alternative, I wrote an RPC service to do this.
I used an HTML element in GWT to put the link on the page; this seems to work when I put links to google searches, etc. When I put the URL to logout (which was generated to link the user back to the main page which requires login (something I have done before with the Python version of GAE without all the Ajax stuff) instead of getting asked to login again (and then seeing the main page), I just get a 404 Not found: /_ah/MyApp.html . I thought this was perhaps some effect of the Chrome plugin running under devmode, so I actually compiled the app and ran it as a compiled GAE app (dev_appserver.sh); exact same problem.
Another odd effect is that under some circumstances (perhaps after having just done the above) I go to the main page of my app and the RPC service I wrote to get the logout URL for the user replies that the user is not logged in.
Given the app.yaml configuration (which seems to correctly generate the web.xml) to not even let the user see the page unless they are logged in, how is it possible for that to even happen? Even if the user is being correctly logged out (by the page when then says 404), how can I ever go to my app main page and yet not be logged in?
Is this an Ajax effect where the user is logged out, but the page says around (having already been rendered when the user was logged in) and then the RPC hits the server and finds out that the user is now logged out? If this is the case, then it seems rather pointless to restrict access in the app.yaml / web.xml as I also have to check it every time I get an RPC call anyway, right? (I suppose the app.yaml configuration might save a few server round-trips the first time the user visits the page?)
I'm running an up-to-date version of OS X 10.6.8 (x86). My browser is Chrome: 16.0.912.63 (Official Build 113337)
$ java -version
java version "1.6.0_29"
Java(TM) SE Runtime Environment (build 1.6.0_29-b11-402-10M3527)
Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02-402, mixed mode)
I'm using gwt-2.4.0.
