These are the steps I followed.
Created new Application from GAE console with custom domain authentication option. Gave my domain name.
Registered my domain with Google Apps for Work. Enable App Engine Service for my GAE Application.
added the following code to the web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
tried to open the app with normal gmail account. It is getting redirected to login page. it works fine, upto here.
Here comes the problem, I tried to login with my domain account it is showing an error "Too many redirects".
I tried clearing the cookies and made sure only one account is logged in at time.
Please help.
Please change to /*. Alternatively you can use app.yaml for Java apps too as it's easier to configure (not sure it can be used with Eclipse). Unless your app needs to be portable to other Java app servers.
Related
I deployed a jar file in a compute engine, this jar file trying to access a servlet deployed in app-engine with this details:
servlet path: https:/pathToAppEngine/tasks/sendMail
and its secured by this:
<security-constraint>
<web-resource-collection>
<web-resource-name>my-tasks</web-resource-name>
<url-pattern>/tasks/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
And the compute engine is linked to a service account with owner privileges And both app-engine and compute engine instance are within the same google project
as a result, whenever this jar file (in compute engine) try to access this servlet (in app engine) it shows the google login page.
And if I removed the security from this servlet then it can be accessed easily from that jar file
so how can I authorize this compute engine to access this secured servlet in app-engine plz?
I believe the behaviour you are seeing right now is expected, as the <security-constraint> enforces authentication for Google Accounts which requires a Google Account or G Suite Domain.
You might want to look at the Endpoins Auth documentation instead of using <security-constraint> if you will be using a service account authenticating these requests.
Also, you could create you own logic in your App Engine code and add an API key or your own auth string to your request.
GET https://application.com/endpoint&key=###
you could always obfuscate the key.
Lastly, you could also implement your own auth logic when sending the request from the compute engine instance to App Engine.c cheers
I am working on an App Engine Project.
I need to add a user sign in functionality before accessing the app. I read different documentations and questions and found that App Engine comes with the support of providing user sign in option using the Google Sign In.
As of now, I didn't use the sign in functionality in my application. If I add this feature, how can I redirect the user to the home page after sign in and ensure that each part of the application is accessible only when the user signs in?
Also, I need to store some information like the username which the user enters during sign-in process into the datastore and use it later in my application.
Please advise.
By the sound of it you simply want the user to have to sign into their Google account before they're able to access any page in your app. This can be done pretty easily in your web.xml file by adding (under your servlet mapping):
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
This will prompt the user to sign into their Google account before taking them to whatever page they were trying to access.
You haven't specified which front end approach/framework you are using in your "App Engine project" or "application"
If it is a web application and you use Google Endpoints, you should have a look at this tutorial which shows how to secure endpoints.
https://rominirani.com/google-cloud-endpoints-tutorial-part-5-7cece01570f#.7n6ug9lmi and https://rominirani.com/google-cloud-endpoints-tutorial-part-6-e9d72635d94b#.mlbffkqr2
In order to store the user name entered by the user, you just have to get it from the User object that is injected in the Endpoints method and save it in the datastore (see: https://cloud.google.com/appengine/docs/java/endpoints/parameter-and-return-types#injected_types)
I want to set something up so only authorized users (perhaps on a VPN) can see my Google App Engine app. Is this possible?
EDIT: I want to make a private dev version of the app (different app engine app). And I want to make a private "dev console" that can be used to simulate usage by calling endpoints with task queues. I will still have authentication, and I thought it would make sense to have this dev environment hidden from the rest of the world. Unnecessary?
What you can do for test environments is to put this in your web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin required</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
This makes sure you have to be logged in as an admin to view the site. You can add users to your project in the permissions screen:
https://console.developers.google.com/project/[YOURPROJECT]/permissions
An easy way doing what you want is to deploy a "dev" version to AppEngine, then you can access it with this URI : http://dev.app_name.appspot.com.
The default version still accessible. And you can test your endpoints with the dev URL.
For OAuth2, don't forget to add the dev url in the OAuth API Console.
I have an application developed and deployed on Google App Engine, and i want to make some integration test so is there a way to let the application (MyappId.appspot.com) only visible by me (owner) and others that were added as developers?
Nowadays you can use Google Identity Aware Proxy https://cloud.google.com/iap
You can set to the configuration of the application to allow only admin users. An example for Python is presented to the App Engine documentation for Python .
From the App Engine documentation:
If the constraint specifies a user role of admin, then only registered
developers of the application can access the URL. The admin role makes
it easy to build administrator-only sections of your site.
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
#Andrei Volgin
Thanks for the link: i have read the documentation about App Engine python apps and see that we can just add login: admin to our yaml file like this:
- url: /.*
script: handler.application
secure: always
login: admin
documentation
I was going through this article and got stuck with one issue. Imagine I have following rule in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin access</web-resource-name>
<url-pattern>/AdminPanel.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
Then non-admin user opens AdminPanel.jsp, GAE redirects him to Google Accounts login page, he enters his credentials and logically gets this page
Error: Forbidden
Your client does not have permission to get URL /AdminPanel.jsp from this server.
Now I can't re-login with another Google Account because I'm still authenticated as wrong user and GAE put ACSID cookie for app url. I will always get error message I mentioned above. Is there a way to elegantly solve this issue ? I'd like customer to be able to re-login with appropriate credentials. Also situation when customer is signed into more than one account is possible. I personally have Google Apps account and Gmail account. All Google applications such as GMail have options to Switch in between accounts. Can I do the same ?
Check the user's credentials inside your app's servlet, rather than using web.xml. If they are logged in but not authorized, offer them the opportunity to log out.