On March 1, 2011 App Engine changed its login flow, breaking my app (see the Google Groups message). This issue also came up in this Stack Overflow question. The suggested answers are

"have the app perform the redirect. That is, createLoginUrl only works when the continue url is a url for the app. If you need the user to be sent to another app/host after login, then your app needs to do that redirect"

and

"set up a redirect handler on your own app. Make that the target of the continue parameter, and have it send a final redirect to your actual target".

I'm asking this question to get details on how to make this work. My application consists of two GAE apps, a GWT front end and the back end exposing a REST API. Here is the current flow.

The user browses to http://my-front.appspot.com/, and the GWT makes a JSONP call to a http://my-back.appspot.com/User servlet.

The /User servlet checks the GAE UserServiceFactory.getUserService().getCurrentUser() to see if it's null. For users not logged in, this is null, and the servlet returns JSONP that the user is not logged in.

The GWT code gets the "not logged in" message, and does

String login = "http://my-back.appspot.com/Login";
Window.open(login, "_self", "");

The Login servlet:

public void doActualGet(HttpServletRequest req, HttpServletResponse resp) 
    throws ServletException, IOException {

    UserService userService = UserServiceFactory.getUserService();
    String url = "http://my-back.appspot.com/LoginRedirectServlet";
    // String url ="http://my-front.appspot.com";  <--------- Before 1 March
    log.info("Auth then redirect to: " + url);
    String redirect = userService.createLoginURL(url);
    resp.setStatus(301);
    resp.setHeader("Location", redirect);
    resp.setHeader("Connection", "close");
}

My new LoginRedirectServlet has one line:

resp.sendRedirect("http://my-front.appspot.com/");

This usually results in a redirect loop, though sometimes after hitting the initial url several times it works. My suspicion is that there's something wrong about the code near Window.open, but I'm open to all suggestions.

Thanks, Glenn

Try using Window.Location.assign(url) instead of Window.open(..).

Update:

Possible problem: you browser caches 301 redirect (Chrome does it for example). Since your Login servlet produces redirect and if cached this would produce a loop. Try using other redirect code: 302 or 307.

Credit due to Nick Johnson for whining about the two-app architecture. I've never liked it. I moved war/MyFront.html and the compiled GWT code in war/myfront/ to the war file of the myback project, changed all urls to the form http://my-back.appspot.com/ and deployed. It worked!

This is just a hack, but it proves the principle.