I develop an application with GAE and GWT where the user has to be logged in with his Google Account when he access the site. So I defined the following in the web.xml file...
<security-constraint>
<web-resource-collection>
<url-pattern>/index.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
When I'm running the local dev server I get promted with the test login-screen when I open the app the first time, but when I deploy it, I directly come to my application without any authentication.
First I thought, that could be, because I'm already logged in to other Google services, but I tried it in other browsers and in incognito mode too.
I would suggest trying one is to use the URL pattern to * so that all your resources are secure and secondly addind web-resource-name tag to "all" value, as shown in code snippet below.
And I am assuming you already have servlet mapping to service etc
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
Related
When auth-constraint is specified in AppEngine Development server web.xml file. The User injected to endpoint and User received from UserService.getCurrentUser() in HttpServlet are different.
The user Id for endpoint user is zero and for HttpServlet it is a fixed number. When the auth-constraint tag is removed from web.xml file, both user ids are zero. But this tag is required for production server.
How to get a single user for development server?
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I have a GAE project I'm about to deploy. Everything is going well except I seemingly can't protect certain files. In particular I've uploaded my .p12 key file to use with APNS. I had it in WEB-INF originally but due to a " java.io.IOException: DerInputStream.getLength(): lengthTag=111, too big." I've moved the file outside of this directory. The issue I'm having now is that I'm able to download the .p12 file. Working on the local dev server I have the following permissions and therefore blocking access to the file. However, once I push this out to production I'm still able to download the file. What might it be about the GAE production environment that is not enforcing this security constraint? Thank you for any help.
<security-constraint>
<web-resource-collection>
<web-resource-name>certificates</web-resource-name>
<url-pattern>/certificates/*</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
Looking into the documents, you need to have a role specified inside of "auth-constraint", as shown here
So something like
<security-constraint>
<web-resource-collection>
<web-resource-name>certificates</web-resource-name>
<url-pattern>/certificates/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
should do the trick.
Im using Eclipse and AppEngine SDK 1.7.5.
I tried to validate war folder in my Google App Engine project. There is Invalid Content with my web.xml:
Invalid content was found starting with element 'url-pattern'.
One of '{"http://java.sun.com/xml/ns/javaee":web-resource-name}'
is expected. web.xml /project/war/WEB-INF line 121 XML Problem
This is the xml referred on the error:
<security-constraint>
<web-resource-collection>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
How to fix the error?
It's a dup, see: Eclipse reporting problem in my web.xml, but it is processed fine
Anyway, try adding a web-resource-name element as follows:
<web-resource-collection>
<web-resource-name>Admin Resources</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
I have set up appengine to allow incoming mail, and if I have my web.xml file with
<servlet>
<servlet-name>mailhandler</servlet-name>
<servlet-class>VerifyReply</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>mailhandler</servlet-name>
<url-pattern>/_ah/mail/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<url-pattern>/_ah/mail/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
it works and runs the VerifyReply servlet, but if I want to limit incoming emails to only those sent to the verifyreply#... email address with (notice the url-pattern is different than above)
<servlet>
<servlet-name>mailhandler</servlet-name>
<servlet-class>VerifyReply</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>mailhandler</servlet-name>
<url-pattern>/_ah/mail/v*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<url-pattern>/_ah/mail/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
it stops working and I get an email bounce back to the sender. My logs page shows the server ran /_ah/mail/verifyreply#... but it doesn't run the servlet and bounces the email.
Any ideas, I think I am following the guide at https://developers.google.com/appengine/docs/java/mail/receiving
According to the docs, filtering on address is not supported:
When App Engine moved to a standard Java Web Server, the ability to specify richer matching patterns was lost (e.g. one used to be able to specify a url-pattern like /_ah/mail/support*). If such pattern matching is desired, consider using a filter-based approach based on the following code snippets.
It would consider it a bug that specifying the full address does work. The page contains an example on how to do address matching in a mail handler filter (a filter in the servlet sense). You should match the address there and return a 404 if you do not want to accept the message. Or you can just ignore messages you don't want if you don't care about bouncing them.
I am on a google app engine project now. In my application I have to allow only https protocol. And I have to restrict other protocols. It should allow https only. I have added the below code in web.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
But after deploying it works on both the protocols(http and https). How to restrict http?
It is possible to configure the individual handlers to require HTTPS in the app.yaml file in the WEB-INF folder as described here: Java Application Configuration Using app.yaml - Google App Engine.
You just have to add these two words to your app.yaml file under the appropriate url entry:
secure: always
For example:
- url: .*
script: main.app
secure: always
Then if a user tries to access the URL with HTTP she will be automatically redirected to HTTPS. Pretty cool.
If you want to stick with "web.xml" rather than using the "app.yaml" option (which will overwrite your web.xml & appengine-web.xml files at deploy time), you can add in:
<security-constraint>
<web-resource-collection>
<web-resource-name>everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Reference:
https://cloud.google.com/appengine/docs/java/config/webxml#Security_and_Authentication
Are you using your own domain? At present, GAE supports SSL for *.appspot.com domains only. They have been promising SSL support for non-appspot domains for some time now and we're all waiting for news on that front.
This is for future folks !!!
In java adding the code below in my web.xml file worked for me
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPS redirect</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
For other project add secure: always under all urls in app.yaml file
Add this to your web.xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>