I am eager to build an application with Gwt and App Engine. I'm more familiar with App Engine: creating dynamic html pages with servlets and jsp's. I'm wondering however, if this type of application technology belongs with GWT?
The two examples I can foresee being a problem are login and database retrieval.
For user log-in, my current approach is simple: at the beginning of a servlet, check if the user object exists. If it does, show the page. If it doesn't, redirect to Google's login service. How does this model fit in with GWT? It seems to me that GWT compiles into static html/javascript/css files you place on your server. With this approach, it doesn't seem possible to do any server processing to check for a vlid user before serving the static page (because any user could just bypass the servlet and type the static page url directly).
The other example would be show data from the app engine datastore. If i wanted to create a table which each row being an entry from the data store, I would dynamiclly create the html in a servlet, and do my datastore access there etc, etc. It seems with GWT I would have to serve a container html page, then use ajax to load the database content after the fact?
Maybe GWT isn't right for my type of application, or maybe I'm just thing about web application development the wrong way. Some clarification would be appreciated.
In a over simplified sense, a typical GWT app will work like this:
User navigates to your web page. Their browser uses a static url(s) to download all the javascript, css, and images necessary to run your app.
From now on, every time a user presses a button or otherwise interacts with the page, data is retrieved via an AJAX call. So yes, they might download your app before logging in, but all your security sensitive data would only be returned via an ajax call, giving you the chance to validate their identity however you wish (cookie, user/pass, etc)
This is basically what you describe in your second example about loading data from the datastore. It sounds like you think this is bad for some reason, but you don't say why.
Related
I just read the following.
... your web app can be considered static. Some examples of this type of
web application are a simple personal home page, an online games
portal that doesn’t save data to the server on which it is hosted, or
an AngularJS app that performs multiple calls to a RESTful API
provided by another service.
So if a website is based purely on angular, does not have any server code and solely depends on API calling to retrieve and save data, will it be considered static or dynamic?
Dynamic website means we can change the site's content without modify the source code. For your website, if it is showing data from a REST API which means it is depending on a server somewhere then it is a dynamic website.
I am work on a web application as an interface with Google Cloud Storage(GCS).
I am using a backend service to retrieve the list of files I stored on GCS and their URL with the JSON API and return that to my web application. However, I was not really able to load the files through those URL, which always came back with 403 forbidden.
I am not sure how GCS authentication work behind the scene and whether it is possible to directly grant access to web application. I am not sure how could I attach application authentication information via http request. What I know is I can do that via the backend service but for the reason of simplicity I wonder if it is possible to get around with that. One of the thing I tried is adding the web application domain(which will be sent via referrer in http request) into ACL to that bucket, which doesn't work at all.
And thanks to what #Brandon pointed out below. I am ok to grant anyone whoever have access to the application to view the content of the GCS since it is an internal app and I have already checked their authentication when I first serve the web application.
====
Solution
I ended up using the signedUrl that expire in 5 minutes and I highly recommend interact with gcs using gcloud (Their python document is really good). Thanks again for the thorough answer!
You have a user on a web browser who wants to download an object that only your application's service account has read access for. You have a few options:
Expand access: make these object publicly readable. Probably not the best choice if this info is sensitive, but if it's not, this is the easiest solution.
Give your app's credentials to the user so that they can authenticate as your app. This is a REALLY bad idea, and I probably shouldn't even list it here.
When a user wants to download a file, have them ask your app for it, and then have your app fetch the file and stream its contents to the user. This is the easiest solution for the client-side code, but it makes your app responsible for streaming file contents, which isn't really great.
When a user wants to download a file, have them ask your app for permission, and reply to them with some sort of token they can use to fetch the data directly from GCS.
#4 is what you want. Your users will ask your app for a file, your app will decide whether they are allowed to access that file via whatever you're doing (passwords? IP checks? Cookies? Whatever.) Then, your app will respond with a URL the user can use to fetch the file directly from GCS.
This URL is called a "signed URL." Your app uses its own private key to add a signature to a URL that indicates which object may be downloaded by the bearer and for long the URL is valid. The procedure for signing URLs is somewhat tricky, but fortunately the gcloud storage libraries have helper functions that can generate them.
I am currently in the research process of building my first application in angular2 and I have a question on how to restrict the client side javascript/content that a user will see based on the permissions they have in the application.
My application will have numerous permissions that will restrict users from seeing certain pages, along with the ability to do certain actions on a page. For a simplistic perspective, think of a configuration area for the tool/application that only someone with admin permission would be able to access. A non-privileged user would only see the main menu items and not the "Site Settings" which leads to the admin area and therefore hopefully none of the templates/components that encompass said area.
I came across this link (http://blog.mgechev.com/2015/12/30/angular2-router-dynamic-route-config-definition-creation/) and think this might be what I need, but was hoping for other people's thoughts who are more familiar with angular and other SPA type client-side javascript frameworks.
How do you setup an angular2 application so that only applicable templates and components are downloaded to the client based on the user's permissions? Does all of this get thrown out the window once you use a process that combines all the angular files to limit the number of js files the client browser needs to load? I realize the importance of securing the middle tier API, but don't see the point of having clients download a bunch of data/templates that they will never be able to access. Initial loads should be as fast as possible.
I was wondering what would be a better way to let my jQuery Mobile app "know" the user of the app after completing a registration process.Since the handlers in my Python Google App Engine app expect a username, i decided to store the username in localstorage and then use this as part of any request made to the server.But i don't think this is a good design idea (?).After a lot of search, i have found that jQuery Mobile does not support Google login (Please correct me if am wrong) So i have decided to use the Users Service from the server end.I am confused on how to implement this, since the users service from Google has it's own sign-in form.
Is it possible to use this same service with jQuery? If so, can i change the design of the sign-in form to blend in with the design of my jQuery app?
jQuery Mobile is just a template designer created directly for mobile web applications using a mobile web browser. It does not possess any connections with server side scripting automatically.
You need to create a connection using server side scripting.
Once you login in using the Google Login, your app associates it with the Google account.
jQuery is just a browser scripting. It does not have an automatic connection with the server unless you connect using AJAX to request to a server, but still need to code the server using HTTP protocol (as a tunnel) and server side scripting language like Java, Python, or PHP.
If you just want to get the "username" using a javascript, you may use REST to get the user information after login. You may look for how JSON or XML REST is created (but putting the username on local storage is not a bad option, without the password, however it may get deleted if you clear the root), but knowing that you are already connected with Google Sign in, just as long as you are already logged in with Google, your app should be able to retrieve the Google username.
Udacity also contains a complete course about web development focused on Google App Engine using Python, and how you may use cookies, password encryption, as well as user login. A detailed information about HTTP protocol is also discussed.
https://www.udacity.com/course/cs253
Note that the course I took existed 2 years ago. It may be different now.
Or can it be done?
For example, I want to help a few friends to setup their shopping cart websites. They have their website domain names already purchased. But I want to pay one google app engine application at www.mywebsite.com, and I want to "forward" their domain to www.mywebsite.com/friend1, www.mywebsite.com/friend2. In this way, I want their customers see their website which could be http://www.friend1.com, but they are actually served by one single app engine application.
In my application, I know how to get the path analyzed so I can go to datastore to serve diffrent pages, html. So the question is just how or can one google app engine be forwarded from different domains. Thanks!
I'm not quite sure what is your exact meaning of "forward", but I try to answer for different situations.
If you want the browser to keep displaying www.friend1.com all the way without ever showing www.mywebsite.com, you should have friend1.com setup as a Google App account, and add their domain into your application (just like you did for your own domain). This way, all traffic to www.friend1.com (or what ever subdomain they pick) goes to your appengine app. And your App should detect the domain of the http request and response accordingly.
If you just want a "redirect"... that means, user goes to www.friend1.com will have their browser auto goes to www.mywebsite.com/friend1 and displaying it in the URL bar , well, just setup one index.html page in www.friend1.com and add meta refresh header in the file. Or use any server side redirect method.