Google app engine: what are content folder data securing options?

Question

It seems for me that when youve got low (in general hacking terms) quotas (I am talking about free GAE plan) and quite large files uoy wanna stream to your users youmust somehow to protect thouse files from "bad" users

So it is sad

By default, App Engine makes all files in the WAR available as static files except JSPs and files in WEB-INF/. Any request for a URL whose path matches a static file serves the file directly to the browser—even if the path also matches a servlet or filter mapping.matches a servlet or filter mapping.

what are short in implementing methods of folder protection inside WAR? (code, samples, articles examples etc)

(situation: We use GAE for Java. So we just are programming JSP and Java and xml and JS and Html. So: empty gae project, no source yet (just some default html) a folder 'data' in that war with some files that should not get into bad hands)

Answer 1

Hello, the only thing I could think of, was the <security-constraint> element, that you can add in the deployment descriptor. As you may know, an App Engine application can use Google Accounts for user authentication. An app can also specify access restrictions for URL paths based on Google Accounts, using the element mentioned in the deployment descriptor. This security constraints apply to static files as well as servlets.

But that is as far as it goes, because: "Google App Engine does not support custom security roles (<security-role>) or alternate authentication mechanisms (<login-config>) in the deployment descriptor."

For more information, take a look at the GAE Java Deployment Descriptor: http://code.google.com/appengine/docs/java/config/webxml.html#Security_and_Authentication

Hope this helps!