I want to set something up so only authorized users (perhaps on a VPN) can see my Google App Engine app. Is this possible?
EDIT: I want to make a private dev version of the app (different app engine app). And I want to make a private "dev console" that can be used to simulate usage by calling endpoints with task queues. I will still have authentication, and I thought it would make sense to have this dev environment hidden from the rest of the world. Unnecessary?
What you can do for test environments is to put this in your web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin required</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
This makes sure you have to be logged in as an admin to view the site. You can add users to your project in the permissions screen:
https://console.developers.google.com/project/[YOURPROJECT]/permissions
An easy way doing what you want is to deploy a "dev" version to AppEngine, then you can access it with this URI : http://dev.app_name.appspot.com.
The default version still accessible. And you can test your endpoints with the dev URL.
For OAuth2, don't forget to add the dev url in the OAuth API Console.
Related
I want to upgrade my Java App Engine Standard app to App Engine Flexible and I am wondering what is the best solution to secure certains URLs (e.g. /admin/*).
In Standard I used in web.xml to restrict access to certain paths to users from AIM (https://console.cloud.google.com/iam-admin/iam):
<security-constraint>
<web-resource-collection>
<web-resource-name>users</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
As mentioned in the upgrade notes:
The secure setting under handlers is now deprecated for the App Engine
flexible environment.
What is the best solution to secure URLs with user and roles from AIM, so with permissions I already defined there?
I think Cloud Identity-Aware Proxy (IAP) [1] would be a good solution for you:
Cloud Identity-Aware Proxy (Cloud IAP) lets you manage access to applications running in App Engine standard environment, App Engine flexible environment, Compute Engine, and Kubernetes Engine. Cloud IAP establishes a central authorization layer for applications accessed by HTTPS, so you can adopt an application-level access control model instead of using network-level firewalls.
Check this page to manage user access [2]:
This page describes how to manage individual or group access to Cloud Identity-Aware Proxy (Cloud IAP)-secured resources at the resource level.
You can use projects.testIamPermissions to check the permissions the user currently has, and deny/allow access from there. For example:
test_iam_permissions_request_body = {
"permissions": [
"resourcemanager.projects.get"
]
}
will return resourcemanager.projects.get if the user has that permission, and empty if not. This way you can still use the users/roles defined in IAM to allow access.
Unfortunately, this is no longer possible with just a configuration. As you can see in the documentation
"Note that because the Users service is not available, it is not possible to use app.yaml to make URLs accessible only by administrators. You will need to handle this logic within your application."
You will need to handle this with application code (check the authenticated user and then allow or deny him access).
I deployed a jar file in a compute engine, this jar file trying to access a servlet deployed in app-engine with this details:
servlet path: https:/pathToAppEngine/tasks/sendMail
and its secured by this:
<security-constraint>
<web-resource-collection>
<web-resource-name>my-tasks</web-resource-name>
<url-pattern>/tasks/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
And the compute engine is linked to a service account with owner privileges And both app-engine and compute engine instance are within the same google project
as a result, whenever this jar file (in compute engine) try to access this servlet (in app engine) it shows the google login page.
And if I removed the security from this servlet then it can be accessed easily from that jar file
so how can I authorize this compute engine to access this secured servlet in app-engine plz?
I believe the behaviour you are seeing right now is expected, as the <security-constraint> enforces authentication for Google Accounts which requires a Google Account or G Suite Domain.
You might want to look at the Endpoins Auth documentation instead of using <security-constraint> if you will be using a service account authenticating these requests.
Also, you could create you own logic in your App Engine code and add an API key or your own auth string to your request.
GET https://application.com/endpoint&key=###
you could always obfuscate the key.
Lastly, you could also implement your own auth logic when sending the request from the compute engine instance to App Engine.c cheers
I am working on an App Engine Project.
I need to add a user sign in functionality before accessing the app. I read different documentations and questions and found that App Engine comes with the support of providing user sign in option using the Google Sign In.
As of now, I didn't use the sign in functionality in my application. If I add this feature, how can I redirect the user to the home page after sign in and ensure that each part of the application is accessible only when the user signs in?
Also, I need to store some information like the username which the user enters during sign-in process into the datastore and use it later in my application.
Please advise.
By the sound of it you simply want the user to have to sign into their Google account before they're able to access any page in your app. This can be done pretty easily in your web.xml file by adding (under your servlet mapping):
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
This will prompt the user to sign into their Google account before taking them to whatever page they were trying to access.
You haven't specified which front end approach/framework you are using in your "App Engine project" or "application"
If it is a web application and you use Google Endpoints, you should have a look at this tutorial which shows how to secure endpoints.
https://rominirani.com/google-cloud-endpoints-tutorial-part-5-7cece01570f#.7n6ug9lmi and https://rominirani.com/google-cloud-endpoints-tutorial-part-6-e9d72635d94b#.mlbffkqr2
In order to store the user name entered by the user, you just have to get it from the User object that is injected in the Endpoints method and save it in the datastore (see: https://cloud.google.com/appengine/docs/java/endpoints/parameter-and-return-types#injected_types)
These are the steps I followed.
Created new Application from GAE console with custom domain authentication option. Gave my domain name.
Registered my domain with Google Apps for Work. Enable App Engine Service for my GAE Application.
added the following code to the web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
tried to open the app with normal gmail account. It is getting redirected to login page. it works fine, upto here.
Here comes the problem, I tried to login with my domain account it is showing an error "Too many redirects".
I tried clearing the cookies and made sure only one account is logged in at time.
Please help.
Please change to /*. Alternatively you can use app.yaml for Java apps too as it's easier to configure (not sure it can be used with Eclipse). Unless your app needs to be portable to other Java app servers.
I have an application developed and deployed on Google App Engine, and i want to make some integration test so is there a way to let the application (MyappId.appspot.com) only visible by me (owner) and others that were added as developers?
Nowadays you can use Google Identity Aware Proxy https://cloud.google.com/iap
You can set to the configuration of the application to allow only admin users. An example for Python is presented to the App Engine documentation for Python .
From the App Engine documentation:
If the constraint specifies a user role of admin, then only registered
developers of the application can access the URL. The admin role makes
it easy to build administrator-only sections of your site.
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
#Andrei Volgin
Thanks for the link: i have read the documentation about App Engine python apps and see that we can just add login: admin to our yaml file like this:
- url: /.*
script: handler.application
secure: always
login: admin
documentation