I'm looking to roll my own simple user authentication as part of a iOS / GAE app. I'm not wanting to use 3rd party libs such as spring.
I have an iOS client from which I'd like to offer the option to create a profile (hashed UDID, password). Store the login details (keychain?) and auto-login to GAE each time my App starts.
I'm thinking simple HTTP basic-authentication. B64 decode (GAE API for this?), then use the hashed UDID as Key into my various datastore Entities via low level data store API. Then generate some kind of unique session ID (GAE API for this?) to pass around as a URL parameter.
I have fairly good Java/Objective-c experience, but it's my first 'cloud' type app and I have a security concerns about the above approach. Not least because I didn't find any java examples of solving what must be a fairly common problem, which makes me think I'm missing something :)
Some things I'm not sure how to solve;
I'm new to GAE and excited to get past this first hurdle, so any tips advice is much appreciated!
Some of my experiences though I'm using python you might find some of the observations I make helpful:
You might want to consider OAuth 2.0 as authentication model since it works with most providers.
I first chose a Javascript / OpenID + custom login and now I use serverside OAuth 2.0 + custom login. (I had considered using http://www.janrain.com/ if you're thinkning altenatives to rolling your own.)
A third option for you is to take a custom authentication that is already included with a Java CMS for app engine that already has an authentication system.
You can make a completely custom /admin
interface completely separate from the user experience so app engine will be preferable for you since it gives you a lot of control over the code.
If you want to look how a larger Java CMS for GAE does it then you could check in http://www.vosao.org/