Cookies on Cloud Endpoints Java

Brian Henry

unread,

Feb 17, 2014, 8:07:42 AM2/17/14

to google-a...@googlegroups.com

Can anyone tell me how to allow cookies when using Cloud Endpoints with Java? They're accessible when using the local dev server but once I deploy to .appspot HttpServletRequest.getCookies() is null.

There's an answer on SO for Python:
http://stackoverflow.com/questions/15690831/cloud-endpoints-http-cookies

- which led me to find an equivalent class com.google.api.server.spi.config.ApiAuthConfig with setAllowCookieAuth(boolean) method but I don't know how to use it with my endpoint class.

Vinny P

unread,

Feb 19, 2014, 10:01:35 PM2/19/14

to google-a...@googlegroups.com

On Mon, Feb 17, 2014 at 7:07 AM, Brian Henry <brian....@gmail.com> wrote:

Can anyone tell me how to allow cookies when using Cloud Endpoints with Java? They're accessible when using the local dev server but once I deploy to .appspot HttpServletRequest.getCookies() is null.

If you call HttpServletRequest.getHeaderNames(), do you see the cookie request headers listed?

-----------------

-Vinny P

Technology & Media Advisor

Chicago, IL

App Engine Code Samples: http://www.learntogoogleit.com

Brian Henry

unread,

Feb 20, 2014, 8:58:56 AM2/20/14

to google-a...@googlegroups.com

After posting that, I found a bug report with the same problem:

https://code.google.com/p/googleappengine/issues/detail?id=10100

I also figured there should be an annotation:

@ApiAuth(allowCookieAuth = AnnotationBoolean.TRUE)

but it didn't make any difference when I tried it.

Cookie is in the request header on the dev server but not on appspot. I get the following headers:

Host

Accept

Accept-Language

Cache-Control

Content-Length

Content-Type

dnt

method

origin

originalMethod

Referer

User-Agent

X-Appengine-Peer

Accept-Charset

X-AppEngine-Country

X-AppEngine-Region

X-AppEngine-City

X-AppEngine-CityLatLong

Emanuele Ziglioli

unread,

Feb 20, 2014, 4:42:11 PM2/20/14

to google-a...@googlegroups.com

I can't say whether it's exactly the same problem you're seeing but I couldn't get Vosao (cookie based)'s authentication work with cloud endpoints.

The reason is that the way endpoints is implemented (in Java, at least), there's a servlet listening to Rest requests that internally posts RPC request to another servlet.

This mechanism means that the cookie from the first request is passed on to the second request, but for subsequent requests the internal "socket" between the two servlet was already established with the first request. Therefore all subsequent requests are authenticated as if they were coming from the first user, a security nightmare.

There might be away around it, for example avoiding Rest requests altogether and using RPC directly

Reply all

Reply to author

Forward