问题
I am on a google app engine project now. In my application I have to allow only https protocol. And I have to restrict other protocols. It should allow https only. I have added the below code in web.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
But after deploying it works on both the protocols(http and https). How to restrict http?
回答1:
It is possible to configure the individual handlers to require HTTPS in the app.yaml file in the WEB-INF folder as described here: Java Application Configuration Using app.yaml - Google App Engine.
You just have to add these two words to your app.yaml
file under the appropriate url
entry:secure: always
For example:
- url: .*
script: main.app
secure: always
Then if a user tries to access the URL with HTTP she will be automatically redirected to HTTPS. Pretty cool.
回答2:
If you want to stick with "web.xml" rather than using the "app.yaml" option (which will overwrite your web.xml & appengine-web.xml files at deploy time), you can add in:
<security-constraint>
<web-resource-collection>
<web-resource-name>everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Reference: https://cloud.google.com/appengine/docs/java/config/webxml#Security_and_Authentication
回答3:
Are you using your own domain? At present, GAE supports SSL for *.appspot.com domains only. They have been promising SSL support for non-appspot domains for some time now and we're all waiting for news on that front.
回答4:
This is for future folks !!!
In java adding the code below in my
web.xml
file worked for me<security-constraint> <web-resource-collection> <web-resource-name>HTTPS redirect</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
For other project add
secure: always
under all urls inapp.yaml
file
回答5:
Add this to your web.xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
来源:https://stackoverflow.com/questions/5367974/https-only-in-google-app-engine