I recently watched a video from Google I/O on Best Practices for GWT Security, and one of the strong recommendations from the speaker was to actually separate your app into two different apps:

• Login App – used to present a login screen and authenticate a user for the Primary App; and
• Primary App – the rest of your app

His reasoning for this is that all client-side code can be compromised, even with GWT’s insane obfuscation methods. Don’t open yourself up to unnecessary attack, so by having two separate apps, an attacker (who is not authorized to even login and use the system) will only be able to pull down the client-side code of the Login App without getting his hands on the Primary App‘s client-side code.

I like this approach, but plan on deploying my app(s) to GAE, which strictly prohibits you from using multiple apps (WARs) to coordinate with each other (explicitly says so in the Terms & Conditions!).

So it seems that the Google Developers themselves have a disagreement here! On one hand, the GWT team wants your app broken up for security purposes, but then the GAE team doesn’t want 2+ apps being “in league” with each other for billing purposes. My impression is that Google wants developers to embrace their entire platform, using both GWT and GAE.

So what’s the deal here?!? Is there any way to break up my codebase without producing a separate WAR (thus appeasing GAE) but in such a way that there’s no way to see my Primary App‘s code until you log in?

I would think “yes”, however GWT forces you to download everything all at once (to minimize roundtrips and expensive HTTP requests). Any ideas? Thanks in advance!