How to provide authentication in GAE web services (using restlet framework)?

Question

Iam looking for a proper way of authentication for my GAE app.

Since I am using restlet framework for my web services I found cookies as a nice way for secure service calls. Now my doubts are:

1. What is "signing a cookie"?
2. Where to store cookie values?DB or any static class?
3. How to provide encryption for cookie?
4. What if cookie disabled in browser?

Is there any better mechanism available than cookie?

Answer 1

If you enable sessions, handling cookies will be taken care of for you automatically: http://code.google.com/appengine/docs/java/config/appconfig.html#Enabling_Sessions

Now, sessions are handled for all users, it's up to you to keep track who is authenticated:

1. When user logs in, add some auth data to their session. This data might contain their ID an expiry time.
2. When a request comes in, look at session if this data is there and if it's still valid.
3. If valid, proceed as normal.
4. If not valid or no auth data in session, return error (in case of REST) or redirect to login page.

All this functions are usually performed in a servlet filter. Filters handle requests before and after servlets handle request, so they give you an option to intercept a request and do some processing (like checking if request is authenticated).