GWT/GAE(Java): when combined with GAE, app.yaml / web.xml user authentication and login/logout not r


I'm writing a web app using GWT and GAE (Java). I know GAE pretty well, especially the Python version; I'm new to GWT and the Java version of GAE.

<hr />

I tried to set up my app so that the user had to be logged in to access; from app.yaml.

application: myapp version: 1 runtime: java welcome_files: - index.jsp - index.html handlers: - url: /admin/* # secure: always login: admin - url: /MyApp.html # secure: always login: required

This seems to generate a web.xml that has access restrictions on the main page:

<security-constraint> <web-resource-collection> <url-pattern>/MyApp.html</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint>

As expected, when run under ant devmode I am required to fake-login when I first go to the page.

<hr />

However I wanted the user to have a logout url.

First, there seems to be no way to do this on the client, which seems bizarre: how can it be that I have to hit the server just to generate a URL so that the user can logout? However, not seeing an alternative, I wrote an RPC service to do this.

I used an HTML element in GWT to put the link on the page; this seems to work when I put links to google searches, etc. When I put the URL to logout (which was generated to link the user back to the main page which requires login (something I have done before with the Python version of GAE without all the Ajax stuff) instead of getting asked to login again (and then seeing the main page), I just get a 404 Not found: /_ah/MyApp.html . I thought this was perhaps some effect of the Chrome plugin running under devmode, so I actually compiled the app and ran it as a compiled GAE app (dev_appserver.sh); exact same problem.

<hr />

Another odd effect is that under some circumstances (perhaps after having just done the above) I go to the main page of my app and the RPC service I wrote to get the logout URL for the user replies that the user is not logged in.

Given the app.yaml configuration (which seems to correctly generate the web.xml) to not even let the user see the page unless they are logged in, how is it possible for that to even happen? Even if the user is being correctly logged out (by the page when then says 404), how can I ever go to my app main page and yet not be logged in?

Is this an Ajax effect where the user is logged out, but the page says around (having already been rendered when the user was logged in) and then the RPC hits the server and finds out that the user is now logged out? If this is the case, then it seems rather pointless to restrict access in the app.yaml / web.xml as I also have to check it every time I get an RPC call anyway, right? (I suppose the app.yaml configuration might save a few server round-trips the first time the user visits the page?)

<hr />

I'm running an up-to-date version of OS X 10.6.8 (x86). My browser is Chrome: 16.0.912.63 (Official Build 113337)

$ java -version java version "1.6.0_29" Java(TM) SE Runtime Environment (build 1.6.0_29-b11-402-10M3527) Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02-402, mixed mode)

I'm using gwt-2.4.0.


The sticky notes demo code from Google App Engine uses an RPC and the link is created on the server side using something like:


I have not tried it yet.

Update: I tested it and it worked fine.


You can have a servlet (or JSP page) that creates a logout url and redirects client to it.


  • wpf Grid best practices
  • How do I separate each line of a .csv file into a string list>
  • SLF4J - What is a dangling or detached marker?
  • What's the meaning of the ethereum Parity console output lines?
  • SmartGWT GWT client server architecture
  • extract number from string excel
  • .NET library for posting to a Blog
  • PHP: Overriding parent methods with __call
  • firebase unauth with google doesn't allow change of user
  • Authentication - JavaScript - Logout issue
  • How to get the index of element in the List in c#
  • UIBarButtonItem's action is not called when in a view with a UIGestureRecognizer
  • C++/CLI Thread synchronization including managed and unmanaged code
  • command line of process by name
  • Certain Arabic text gets incorrectly shown while other Arabic text gets showed normally?
  • How do you keep a running instance for Google App Engine
  • How can I sync the html/session used between Django's 'Client' and Selenium's we
  • WordPress > setting permalink option via script buggy?
  • .NET video play library which allows to change the playback rate?
  • Primefaces lazy datascroller calling load twice
  • Detecting null parameter in preprocessor macro
  • using System.Speech.Synthesis with Windows10 universal app (XAML-C#)
  • Login not working in Firefox in Meteor
  • Spring Cloud Microservice Architecture Confusion
  • Alternative to overridePendingTransition() - Android
  • Transactional Create with Validation in ServiceStack Redis Client
  • Handling un-mapped Rest path
  • Debugging ASP.NET on a built-in web server suddenly stops
  • PHP - How to update data to MySQL when click a radio button
  • Resize panoramic image to fixed size
  • How to recover from a Spring Social ExpiredAuthorizationException
  • Volusion's generic SQL folder, functionality
  • Javascript convert timezone issue
  • Circular dependency while pushing http interceptor
  • AngularJs get employee from factory
  • How to set the response of a form post action to a iframe source?
  • How do you join a server to an Active Directory (domain)?
  • coudnt use logback because of log4j
  • Change div Background jquery
  • Linking SubReports Without LinkChild/LinkMaster