https only in google app engine

醉酒当歌 提交于 2019-12-17 18:27:39

问题


I am on a google app engine project now. In my application I have to allow only https protocol. And I have to restrict other protocols. It should allow https only. I have added the below code in web.xml.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

But after deploying it works on both the protocols(http and https). How to restrict http?


回答1:


It is possible to configure the individual handlers to require HTTPS in the app.yaml file in the WEB-INF folder as described here: Java Application Configuration Using app.yaml - Google App Engine.

You just have to add these two words to your app.yaml file under the appropriate url entry:
secure: always

For example:

- url: .*
  script: main.app
  secure: always

Then if a user tries to access the URL with HTTP she will be automatically redirected to HTTPS. Pretty cool.




回答2:


If you want to stick with "web.xml" rather than using the "app.yaml" option (which will overwrite your web.xml & appengine-web.xml files at deploy time), you can add in:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>everything</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Reference: https://cloud.google.com/appengine/docs/java/config/webxml#Security_and_Authentication




回答3:


Are you using your own domain? At present, GAE supports SSL for *.appspot.com domains only. They have been promising SSL support for non-appspot domains for some time now and we're all waiting for news on that front.




回答4:


This is for future folks !!!

  1. In java adding the code below in my web.xml file worked for me

    <security-constraint>
       <web-resource-collection>
          <web-resource-name>HTTPS redirect</web-resource-name>
          <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
    </security-constraint>
    
  2. For other project add secure: always under all urls in app.yaml file




回答5:


Add this to your web.xml file

<security-constraint>
        <web-resource-collection>
            <web-resource-name>all</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>


来源:https://stackoverflow.com/questions/5367974/https-only-in-google-app-engine

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!