tags:

views:

155

answers:

2
Q: 

Grant public access to one GAE servlet but use authentication for all other resources?

Hello,

for an online bug report web application, I need to find a way how any user can submit a bug report (using HTTP POST) to a Servlet in a Google App Engine application, while all other Servlets (the application admin interface) are protected so that they grant access only to users which have logged in with their Google account. The application runs at /* and if this URL is secured using Google Accounts, no servlet will be available without authentication and there seems to be no way to exclude a URL from authentication.

So this should be protected:

<url-pattern>/*</url-pattern>

While this should be public:

<url-pattern>/addbugreport</url-pattern>
  • just an idea for a workaround: all servlets in the application (except the public one) could check if a user has logged on (and forward to a login page if not logged in)
+1  A: 

Put the protected resources in a different context (directory) from the public (using servlet-mapping's in web.xml). If the public resources are in '/', put the protected in '/admin' and define a security-contraint (also in web.xml) for that context only.

<security-constraint>
  <web-resource-collection>
    <web-resource-name>admin resources</web-resource-name>
    <url-pattern>/admin/*</url-pattern>
    <http-method>*</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>admin</role-name>
  </auth-constraint>
</security-constraint>

If you add more protected contexts to the application, you need to define security-contraints for them as well.

mafro  2010-01-16 16:48:44
See my edit, actually I want to keep the protected admin interface at / and put the public available servlet at /newbugreport - but maybe it is only possible to drop this plan and follow your your suggestion, so +1
mjustin  2010-01-16 21:39:27
If url-patterns are more important than declarative security; implement the user-check as a servlet Filter (mapped to '/*'). This will, in a clean way, separate security from request-handling logic.
mafro  2010-01-17 09:18:05
Good idea - it is a Wicket application, so it is a filter already and adding some security logic code to it should be easy. Could you add your comment as an answer so I can accept it?
mjustin  2010-01-17 13:26:42
+1  A: 

If url-patterns are more important than declarative security; implement the user-check as a servlet Filter (mapped to '/*'). This will, in a clean way, separate security from request-handling logic.

mafro  2010-01-17 15:27:28

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java