security-constraint issue in web descriptor

[Herbert Gomez]

Hello colleagues,

Formerly my GAE app has certain configuration of the web descriptor to make use of the Google Account authentication service. This configuration looked as follows:

<security-constraint>

        <web-resource-collection>

        <web-resource-name>Protected Area</web-resource-name>

            <url-pattern>/*</url-pattern>

        </web-resource-collection>

        <auth-constraint>

            <role-name>*</role-name>

        </auth-constraint>

</security-constraint>

Later on, I implemented some Push queues but they did not work with the security configuration included above. Therefore, I had to create two different url patterns as follows: /web/* and /task/*, for web resources and queues respectively; and also modified my web descriptor as follows:

<security-constraint>

        <web-resource-collection>

        <web-resource-name>Protected Area</web-resource-name>

            <url-pattern>/web/*</url-pattern>

        </web-resource-collection>

        <auth-constraint>

            <role-name>*</role-name>

        </auth-constraint>

</security-constraint>

With this new configuration the queues worked just fine but the Google Account authentication service did not. Since some days, the new configuration is generating a new flaw: data from my datastore is not rendered neither local nor hosted. When I test my application locally, it seems to be an issue with the AJAX function which renders data from my app.

Can you suggest me any configuration for my security-constraints descriptor?

Regards,

Herbert