Google App Engine : Consistently identifying the logged-in user – over Http or Https!

So, you have a secured application on Google App Engine and use its UserService to find out the currently logged-on user is.

It all generally seems to work, except that sometimes users reports hint that UserService.getCurrentUser() returns null, and you are caught wondering “why!”.

A slightly deeper look into one such report couldn’t be avoided today. It turns out that UserService’s identification of the user seems to depend on the presence of cookies “ACSID” or “SACSID” – depending on whether the it was an “http” or “https” URL that triggered the user authentication, and these cookies are not interchangeable. If user authentication gets triggered over HTTPS (and a “SACSID” cookie is issued by Google App Engine), and the user then switches to a “HTTP” application URL in the same session, then this cookie is not sent to the server as it is created with “Secure” attribute, which is supposed to ensure that the cookie is transmitted only over HTTPS connections and not HTTP. Vice-versa, if the user authentication started on HTTP (and a “ACSID” cookie was issued), then upon switching to HTTPS, although the cookie is sent to the server, it’s probably ignored because then the server looks for an SACSID cookie (which looks encrypted / longer). In any case, sending of a “ACSID” cookie over HTTPS doesn’t seem sufficient for UserService to identify the user.

Yes, as an aside, I didn’t also know that just a difference of HTTP vs HTTPS also makes a request cross-origin! 🙂

Coming back a bit, such a HTTP / HTTPS switch within a session is the cause of these sudden occurances of UserService.getCurrentUser() returning null and user authorization breaking at such times.

I have been looking for it but haven’t found any app engine specific configuration that comes to help here. In the meantime, just wanted to capture this bit about UserService when a switch between HTTP / HTTPS happens!

A Utility Tag-Cloud App on Google App Engine

Here is another utility application I have put on Google App Engine – http://mytagclouds.appspot.com/. I wanted to check out how persistence and security works in an application developed for App Engine. Another thing I wanted to check out was how tag clouds are implemented.

This utility allows you to enter items, categorize them and then label them with tags you want to remember those items with. For example, if you want to maintain information about the movies you know, the books you have read, you can create categories called Movies, Books, and then start adding information under books and movies of your interest and easily navigate through the popular ones using the tag clouds that get built up.

Here is the accompanying article I wrote on DZone discussing its technical details.

Groovy AST Browser – Web Based

This was something I wanted to do for some time now. First thing I didn’t like about the existing AST Browser implementation in groovy was that the compilation bits were all intermixed with the Swing tree view implementation bits. Secondly I wanted this tool to be available on web, complementing the Groovy Web Console.
So, I took the opportunity to brush-up some Javascript/CSS/Ajax stuff, separated out in Groovy AST Browser, the compilation bits from the view bits so that it could also present the data in plain text nodes that could then be rendered in non-Swing views.

So, here is the web-based version of AST Browser – deployed on Google App Engine environment – http://groovyastbrowser.appspot.com/

Accompanying this work, here is an article published on DZone: http://groovy.dzone.com/articles/groovy-ast-browser-web-now