Unable to Restricting my endpoints with API Key in java
46 views
Skip to first unread message
Azeem Haider
Aug 29, 2018, 9:19:23 PM8/29/18
to Google App Engine
I want that random internet traffic can't access it. I'm using cloud
endpoints v2 for java. My problem is that anyone can access these
endpoints method through API Explorer or from directly URL someone know.
I want to protect my endpoints. I read documentation how to restrict
Whole API or some methods by using API KEY. https://cloud.google.com/endpoints/docs/frameworks/java/restricting-api-access-with-api-keys-frameworks
Here is my Web.xml.
Here is what I'm trying.
@Api(
name = "zeem",
version = "v1"
)
public class Account {
@ApiMethod(name = "getRegistration", path = "getRegistration", apiKeyRequired = AnnotationBoolean.TRUE)
public Registered getRegistration(@Named("phone") Long phone){
// code ....
}I can run this method without any API key from API Explorer and it is working successfully.
Even I try it to access this method directly from url its also working. Successfully returning the correct data.
I'm adding API management Here how openapi.json look like for this function.
Even I try it to access this method directly from url its also working. Successfully returning the correct data.
I'm adding API management Here how openapi.json look like for this function.
"/zeem/v1/getRegistration": {
"get": {
"operationId": "ZeemGetRegistration",
"parameters": [
{
"name": "phone",
"in": "query",
"required": true,
"type": "integer",
"format": "int64"
}
],
"responses": {
"200": {
"description": "A successful response",
"schema": {
"$ref": "#/definitions/Registered"
}
}
},
"security": [
{
"api_key": [ ]
}
]
}
},See the below image how Endpoint services look like in GCP console.
Here is my Web.xml.
<?xml version="1.0" encoding="utf-8"?>
<!-- [START_EXCLUDE] -->
<!--
Copyright 2016 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- [END_EXCLUDE] -->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<welcome-file-list>
<welcome-file>welcome</welcome-file>
</welcome-file-list>
<!-- OBJECTIFY -->
<filter>
<filter-name>ObjectifyFilter</filter-name>
<filter-class>com.googlecode.objectify.ObjectifyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ObjectifyFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ENDPOINTS -->
<servlet>
<servlet-name>EndpointsServlet</servlet-name>
<servlet-class>com.google.api.server.spi.EndpointsServlet</servlet-class>
<init-param>
<param-name>services</param-name>
<param-value>
org.octabyte.zeem.API.Account,
org.octabyte.zeem.API.CommentApi,
org.octabyte.zeem.API.FriendApi,
org.octabyte.zeem.API.ListApi,
org.octabyte.zeem.API.PostApi,
org.octabyte.zeem.API.SearchApi,
org.octabyte.zeem.API.UserApi,
org.octabyte.zeem.API.StoryApi
</param-value>
</init-param>
</servlet>
<!-- Route API method requests to the backend. -->
<servlet-mapping>
<servlet-name>EndpointsServlet</servlet-name>
<url-pattern>/_ah/api/*</url-pattern>
</servlet-mapping>
<!-- Security -->
<security-role>
<role-name>admin</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
</web-app>And Here is how my pom.xml look like.
<!-- Copyright 2016 Google Inc. Licensed under the Apache License, Version
2.0 (the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed
under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
OR CONDITIONS OF ANY KIND, either express or implied. See the License for
the specific language governing permissions and limitations under the License. -->
<project>
<modelVersion>4.0.0</modelVersion>
<packaging>war</packaging>
<version>1.0-SNAPSHOT</version>
<groupId>com.azeem.endpoint</groupId>
<artifactId>endpoint</artifactId>
<!-- [START properties] -->
<properties>
<!-- OBJECTIFY -->
<objectify.version>5.1.5</objectify.version>
<guava.version>19.0</guava.version>
<!-- ENDPOINTS -->
<endpoints.framework.version>2.0.8</endpoints.framework.version>
<endpoints.management.version>1.0.4</endpoints.management.version>
<endpoints.project.id>my-profect-id</endpoints.project.id>
<maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.source>1.8</maven.compiler.source>
</properties>
<!-- [END properties] -->
<dependencies>
<!-- Firebase push Notification -->
<dependency>
<groupId>com.google.firebase</groupId>
<artifactId>firebase-admin</artifactId>
<version>6.2.0</version>
</dependency>
<!-- End Firebase push Notification-->
<!-- GEO HASH -->
<dependency>
<groupId>de.alpharogroup</groupId>
<artifactId>jgeohash-core</artifactId>
<version>2.4.0</version>
</dependency>
<!-- END GEO HASH -->
<!-- [START Objectify_Dependencies] -->
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>${guava.version}</version>
</dependency>
<dependency>
<groupId>com.googlecode.objectify</groupId>
<artifactId>objectify</artifactId>
<version>${objectify.version}</version>
</dependency>
<!-- [END Objectify_Dependencies] -->
<!-- ENDPOINTS -->
<dependency>
<groupId>com.google.endpoints</groupId>
<artifactId>endpoints-framework</artifactId>
<version>${endpoints.framework.version}</version>
</dependency>
<dependency>
<groupId>com.google.endpoints</groupId>
<artifactId>endpoints-management-control-appengine-all</artifactId>
<version>1.0.5</version>
</dependency>
<!-- Parent POM defines ${appengine.sdk.version} (updates frequently). -->
<dependency>
<groupId>com.google.appengine</groupId>
<artifactId>appengine-api-1.0-sdk</artifactId>
<version>1.9.57</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<type>jar</type>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>jstl</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>com.google.api-client</groupId>
<artifactId>google-api-client-appengine</artifactId>
<version>1.23.0</version>
</dependency>
</dependencies>
<build>
<!-- for hot reload of the web application -->
<outputDirectory>${project.build.directory}/${project.build.finalName}/WEB-INF/classes</outputDirectory>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>3.0.0</version>
<configuration>
<webResources>
<!-- in order to interpolate version from pom into appengine-web.xml -->
<resource>
<directory>${basedir}/src/main/webapp/WEB-INF</directory>
<filtering>true</filtering>
<targetPath>WEB-INF</targetPath>
</resource>
</webResources>
</configuration>
</plugin>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>appengine-maven-plugin</artifactId>
<version>1.3.1</version>
<configuration>
<deploy.promote>true</deploy.promote>
<deploy.stopPreviousVersion>true</deploy.stopPreviousVersion>
</configuration>
</plugin>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>endpoints-framework-maven-plugin</artifactId>
<version>1.0.2</version>
<configuration>
<!-- plugin configuration -->
<hostname>${endpoints.project.id}.appspot.com</hostname>
</configuration>
</plugin>
</plugins>
</build>
</project>Can you please let me know what I'm missing. Because I can access endpoint methods without any API key.
I also posted a question on Stackoverflow right here https://stackoverflow.com/questions/52005671/restricting-my-endpoints-with-api-key-in-java
I also posted a question on Stackoverflow right here https://stackoverflow.com/questions/52005671/restricting-my-endpoints-with-api-key-in-java
Ying Li
Aug 30, 2018, 11:28:31 AM8/30/18
to Google App Engine
This is an actual bug and best reported on our Public Issue Tracker. I noticed that your Issue Tracker case was mistakenly closed but I have reopened it. I will assist you there.
Reply all
Reply to author
Forward
0 new messages