views:

155

answers:

2

Hello,

for an online bug report web application, I need to find a way how any user can submit a bug report (using HTTP POST) to a Servlet in a Google App Engine application, while all other Servlets (the application admin interface) are protected so that they grant access only to users which have logged in with their Google account. The application runs at /* and if this URL is secured using Google Accounts, no servlet will be available without authentication and there seems to be no way to exclude a URL from authentication.

So this should be protected:

<url-pattern>/*</url-pattern>

While this should be public:

<url-pattern>/addbugreport</url-pattern>
  • just an idea for a workaround: all servlets in the application (except the public one) could check if a user has logged on (and forward to a login page if not logged in)
+1  A: 

Put the protected resources in a different context (directory) from the public (using servlet-mapping's in web.xml). If the public resources are in '/', put the protected in '/admin' and define a security-contraint (also in web.xml) for that context only.

<security-constraint>
  <web-resource-collection>
    <web-resource-name>admin resources</web-resource-name>
    <url-pattern>/admin/*</url-pattern>
    <http-method>*</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>admin</role-name>
  </auth-constraint>
</security-constraint>

If you add more protected contexts to the application, you need to define security-contraints for them as well.

mafro
See my edit, actually I want to keep the protected admin interface at / and put the public available servlet at /newbugreport - but maybe it is only possible to drop this plan and follow your your suggestion, so +1
mjustin
If url-patterns are more important than declarative security; implement the user-check as a servlet Filter (mapped to '/*'). This will, in a clean way, separate security from request-handling logic.
mafro
Good idea - it is a Wicket application, so it is a filter already and adding some security logic code to it should be easy. Could you add your comment as an answer so I can accept it?
mjustin
+1  A: 

If url-patterns are more important than declarative security; implement the user-check as a servlet Filter (mapped to '/*'). This will, in a clean way, separate security from request-handling logic.

mafro