Secure authentication with GWT and GAE over https?

I want to implement a custom user authentication system in my appengine app. I don't want to use sessions. I'm a newbie in this area, so I have two basic questions:

1: Is it secure to just send a username and 开发者_StackOverflowpassword with every single RPC over https? What do I need to do to keep that username and password secure on the client end?

2: How do I tell GWT to use https when it makes its requests?

I don't know much about security, so please don't spare me any "obvious" details.

Thanks!

Watching the process with firebug shows that all RPCs are happening over the same protocol that the host page was requested with. This seems to be required for same-site-origin rules, so I'm going to assume that my answers are

1: Yes, but it's slower

2: GWT automatically uses https when the host page was requested w/ https

1. Sending username and password over HTTPS is secure, but nobody does this for every request, because some day you may forget/need to send a request through HTTP. Also, keeping password in memory will attract XSS hackers. One unnoticed XSS vulnerability will expose passwords. Usually, developers keep either session-id or XSRF-token in memory and send it with each request.
2. Look at at http://code.google.com/appengine/docs/java/config/webxml.html#Secure_URLs
3. Don't forget about XSRF protection, you need to implement it for requests that change something (not read-only).

On GAE you can also use Google User Services API http://code.google.com/appengine/docs/java/users/overview.html . It's very intuitive and you won't need to know security details.