using https sparingly in my GAEJ app

Question

I have a GAEJ application that until now hasn't had to deal with sensitive data. For that reason it's been happily running under http:// I am using GWT-RPC for my client server calls.

However I now want to start storing customer names and addresses, for which I'd like to start using https.

I understand the limitation that it has to use the https://www.xxxxx.appspot.com/ domain.

My question is how can I create a sub-section of my site that only deals with client-senstive data, leaving the rest of my site untouched?

For example if I put the following security constraint in my web.xml :

<security-constraint>
    <web-resource-collection>
          <url-pattern>/xxxxx/admin/*</url-pattern>
      </web-resource-collection>
    <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
 </security-constraint>

how can I then tell the app to use https for only certain RPCs, and not all of them?
In other words, is it possible to leave it so that my users still access my site using http: http://www.xxxxx.appspot.com/ and when they make an RPC sending or receiving sensitive data that is done over https ?

Should I use RequestBuilder to construct my GWT-RPC to be https? but if I do that how do I get round the Browser Same origin policy ?

Surely there must be a way of doing this, it must be quite a common problem?

Answer 1

The cross-domain policy for AJAX calls will not allow you to do an RPC to https://blah when you've served the page from http://blah

It's possible to overcome this using an iframe or a header like this:

Access-Control-Allow-Origin: https://www.mysite.com

but I don't know if that's possible on GWT.