Remote API security
20 views
Skip to first unread message
hawkett
Jun 23, 2009, 5:11:33 AM6/23/09
to Google App Engine
Hi,
I have a question about the security of the remote_api - looking
through the source code, I noticed that ConfigureRemoteDatastore takes
a 'secure' parameter, which is False by default. I assume this means
that any data submitted via remote_api is done in plain text. What
about the credentials that are obtained using the auth_func() shown in
the example?
Is the secure option supported? When I set secure=True (in code
that works fine when it is set to False), I get
'urllib2.HTTPError: HTTP Error 302: Found'
which I assume is a redirect to a login page. If it is supported,
what is the process for it use? Thanks,
Colin
I have a question about the security of the remote_api - looking
through the source code, I noticed that ConfigureRemoteDatastore takes
a 'secure' parameter, which is False by default. I assume this means
that any data submitted via remote_api is done in plain text. What
about the credentials that are obtained using the auth_func() shown in
the example?
Is the secure option supported? When I set secure=True (in code
that works fine when it is set to False), I get
'urllib2.HTTPError: HTTP Error 302: Found'
which I assume is a redirect to a login page. If it is supported,
what is the process for it use? Thanks,
Colin
Nick Johnson (Google)
Jun 23, 2009, 6:13:21 AM6/23/09
to google-a...@googlegroups.com
Hi hawkett,
Authentication is always performed over a secure channel, but the cookie obtained with authentication is then transmitted in the clear if secure=True is not specified.
Did you set "secure: always" or "secure:optional" for the remote_api handler in app.yaml?
-Nick Johnson
--
Nick Johnson, App Engine Developer Programs Engineer
Google Ireland Ltd. :: Registered in Dublin, Ireland, Registration Number: 368047
On Tue, Jun 23, 2009 at 10:11 AM, hawkett <haw...@gmail.com> wrote:
Hi,
I have a question about the security of the remote_api - looking
through the source code, I noticed that ConfigureRemoteDatastore takes
a 'secure' parameter, which is False by default. I assume this means
that any data submitted via remote_api is done in plain text. What
about the credentials that are obtained using the auth_func() shown in
the example?
Authentication is always performed over a secure channel, but the cookie obtained with authentication is then transmitted in the clear if secure=True is not specified.
Is the secure option supported? When I set secure=True (in code
that works fine when it is set to False), I get
'urllib2.HTTPError: HTTP Error 302: Found'
which I assume is a redirect to a login page. If it is supported,
what is the process for it use? Thanks,
Did you set "secure: always" or "secure:optional" for the remote_api handler in app.yaml?
-Nick Johnson
Colin
--
Nick Johnson, App Engine Developer Programs Engineer
Google Ireland Ltd. :: Registered in Dublin, Ireland, Registration Number: 368047
hawkett
Jun 23, 2009, 8:09:30 AM6/23/09
to Google App Engine
Thanks Nick,
I hadn't set anything - now I know a bit more about app.yaml :) -
I've got it on optional now, and its working fine - cheers
Colin
On Jun 23, 11:13 am, "Nick Johnson (Google)" <nick.john...@google.com>
wrote:
> Hi hawkett,
I hadn't set anything - now I know a bit more about app.yaml :) -
I've got it on optional now, and its working fine - cheers
Colin
On Jun 23, 11:13 am, "Nick Johnson (Google)" <nick.john...@google.com>
wrote:
> Hi hawkett,
Reply all
Reply to author
Forward
0 new messages