Secure all URLs Security constraint is not working in App engine Standard java

169 views
Skip to first unread message

Azeem Haider

unread,
Aug 17, 2018, 10:59:41 PM8/17/18
to Google App Engine


I'm using App Engine standard environment. I want to make all url to access only admin.

Here is my web.xml but this one is not working for me I test it on local development. 


<web-app> 
...... 

<!-- Security --> 
<security-role> 
   <role-name>admin</role-name> 
</security-role> 
<security-constraint> 
   <web-resource-collection> 
      <web-resource-name>admin</web-resource-name> 
      <url-pattern>/*</url-pattern> 
   </web-resource-collection> 
  <auth-constraint> 
     <role-name>admin</role-name> 
  </auth-constraint> 
</security-constraint> 

..... 
</web-app>



I checked the documentation right here Security and Authentication Can you please let me know why this one is not working for me. What I'm doing wrong ?

And second thing I want to ask is that If I protect all urls to access only admin can I still use cloud endpoint lib in Android can my app access endpoints or not without any login ?

I'm using java8

David (Google Cloud Support)

unread,
Aug 21, 2018, 11:23:24 AM8/21/18
to Google App Engine

Hello,


If you are using an SDK, try to rebuild the project and re-opening the SDK. Doing this will ensure that the problem is not coming from the SDK running an older build.


However, If the urls are still not asking for admin privileges, I would recommend adding security constraints to each file separately by putting the full path and see if that works first. Doing this, you will be able to confirm if somehow the problem is url-pattern related. You can read more about how url mappings and security constraints are handled in the chapter 11 “Mapping Requests to Servlets” and 12.8 “Specifying Security Constraints” of this third party document Java(TM) Servlet Specification 2.4 Final Release, you would need to accept the licence agreement and download the first document.


As for your second question, requests are routed to the Service control API which decides if these are permitted or not depending on how you configure your API, before sending it to the endpoints of your application, please review this document Endpoints Frameworks in order to learn more about endpoints frameworks and how requests are handled on the App Engine standard environment. For more information about adding user authentication to an API for applications using Cloud Endpoints Frameworks, please review this document Authenticating users.

Reply all
Reply to author
Forward
0 new messages