Develop Reference

Restricting protocols for a Camel CometD endpoint

Is it possible to restrict which protocols are allowed on a Camel CometD endpoint, or endpoints in general?
For example, I would like to restrict the endpoint so it can only receive calls through websockets, and not allow HTTP.

From the CometD point of view, you can easily do this by specifying, in the server configuration, the list of allowed protocols:
<web-app ...>
<servlet>
<servlet-name>cometd</servlet-name>
<servlet-class>org.cometd.server.CometDServlet</servlet-class>
<init-param>
<param-name>allowedTransports</param-name>
<param-value>websocket</param-value>
</init-param>
</servlet>
...
</web-app>
The embedded code case is the following:
BayeuxServerImpl bayeuxServer = new BayeuxServerImpl();
bayeuxServer.setAllowedTransports("websocket");
bayeuxServer.start();
If Camel exposes one of these 2 ways to configure the CometD server, then your issue is solved.

Google App Engine : user login page

If I want to require users to be logged in to view any page on my web site, how do I achieve this? Do I check for user login status at the beginning of doGet() in every servlet class and redirect to the log-in page? Once the user logs in, then redirect back to the original servlet? Could I achieve the same thing with a simple configuration some where if such a thing exists?

Add this tag to your web.xml file:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
This is will require the user to be authenticated in whatever role (role-name) to access any servlet (url-pattern)

App Engine Security Constraint

I am building a small app engine project connected to Android and Iphone devices. I want only the users who has the Google account has to access my http://myuser.appspot.com... Whenever they post something, I want to grab their gmail id and associate with the message that they post using http://myuser.appspot.com... I dont want some one to post junk messages though I perform a validation, but still I want to collect the gmail user id for further reference. I tried adding this web.xml, but it is not forcing me to enter my gmail id before the page shows up,
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
Thanks,
Ramesh

That configuration looks like it should be fine.
Are you already logged into Google? If so it should just pick up the authentication automatically, and you won't need to login again. Try logging out, and then visiting the page.

I found workaround for this issue, that may not be the right way, but I tried all possible ways and came to this conclusion, instead of doing auth constraint for all pages, wheenver I do for the first page, then it always fails to connect.
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
I am doing for specific pages, and redirect to the first page after it gets authenticated onLoad on my second page.
If you find any better solution, please do post.

using https sparingly in my GAEJ app

I have a GAEJ application that until now hasn't had to deal with sensitive data. For that reason it's been happily running under http://
I am using GWT-RPC for my client server calls.
However I now want to start storing customer names and addresses, for which I'd like to start using https.
I understand the limitation that it has to use the https://www.xxxxx.appspot.com/ domain.
My question is how can I create a sub-section of my site that only deals with client-senstive data, leaving the rest of my site untouched?
For example if I put the following security constraint in my web.xml :
<security-constraint>
<web-resource-collection>
<url-pattern>/xxxxx/admin/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
how can I then tell the app to use https for only certain RPCs, and not all of them?
In other words, is it possible to leave it so that my users still access my site using http:
http://www.xxxxx.appspot.com/
and when they make an RPC sending or receiving sensitive data that is done over https ?
Should I use RequestBuilder to construct my GWT-RPC to be https? but if I do that how do I get round the Browser Same origin policy ?
Surely there must be a way of doing this, it must be quite a common problem?

The cross-domain policy for AJAX calls will not allow you to do an RPC to https://blah when you've served the page from http://blah
It's possible to overcome this using an iframe or a header like this:
Access-Control-Allow-Origin: https://www.mysite.com
but I don't know if that's possible on GWT.

How can I override the CXF services list URL?

My webservice has an REST endpoint URL like /myapp/admin/services. If I set org.apache.cxf.servlet.hide-service-list-page=false then my URL is hijacked by the CXF services list. This happens because the listings URL is relative in org.apache.cxf.transport.servlet.ServletController.
OK, fine, so I shouldn't have used the phrase "services" in my URL structure. Mea culpa. But now how do I fix this? I'd like to override the "/services" default in ServletController. I just need my container to invoke setServiceListRelativePath() on that class, but I can't figure out how. I imagine there's some magic Spring snippet to do this?
If it matters, I'm using CXF as bundled in the Talend Service Factory.

(turning my comment above into an answer, and modernizing since TSF no longer exists)
Under Karaf, add the following to etc/org.apache.cxf.osgi.cfg: "org.apache.cxf.servlet.service-list-path=/desired/path"

You can try this in your web.xml to override the CXF service list path
<init-param>
<param-name>service-list-path</param-name>
<param-value>/*</param-value>
</init-param>