On Sat, Dec 10, 2011 at 6:26 AM, BoulderGae <sc...@scmlabs.com> wrote:
> The user service will always return null when cron is calling. The
> way to tell that cron is calling is to check for the "X-AppEngine-
> Cron" header. It is set by the cron service and is stripped from all
> other calls to your URLs. That is the best you can do until the GAE
> cron service is better integrated into the user service.
Thanks for all suggestions - I knew the X-AppEngine-Cron Header, but
that's more obscurity and nor really security. I was also thinking
checking IPs - but that seems to be too complicated and error prone
and not secure enough as well...
Thanks a lot for all your suggestions :)
I guess I have to work around that...
Best,
Raphael
>
> scott
>
> On Dec 8, 4:08 am, Raphael André Bauer <raphael.andre.ba...@gmail.com>
> wrote:
>> Hi,
>>
>> I am currently trying to secure my urls that are accessed by cron jobs /
>> tasks.
>>
>> Normally I would use web.xml like that:
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Protected Area</web-resource-name>
>> <url-pattern>/cron/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>admin</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> However, I got a constraint, where these urls should be allowed to be
>> triggered by other authentification mechanisms.
>>
>> Therefore I tried to use the UserService if a authenticated user is
>> hitting the url. I though cron is an authenticated user...
>>
>> UserService userService = UserServiceFactory.getUserService();
>>
>> if (!userService.isUserLoggedIn()) {
>>
>> //do nothing
>>
>>
>>
>> } else if (!userService.isUserAdmin()) {
>> //do nothing
>> }
>>
>> //allow stuff to work...
>>
>> }
>>
>> But I do not get a logged in user when cron is programmatically hitting my
>> urls.
>>
>> Is there a way to determine if google app engine is hitting my urls
>> without using web.xml security constraints?
>>
>> Thanks,
>>
>> Best,
>>
>> Raphael
>
> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine for Java" group.
> To post to this group, send email to google-appengine-java@googlegroups.com.
> To unsubscribe from this group, send email to
> google-appengine-java+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/google-appengine-java?hl=en.
>
--
inc: http://ars-machina.raphaelbauer.com
tech: http://ars-codia.raphaelbauer.com
web: http://raphaelbauer.com
--
You received this message because you are subscribed to the Google Groups
"Google App Engine for Java" group.
To post to this group, send email to google-appengine-java@googlegroups.com.
To unsubscribe from this group, send email to
google-appengine-java+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-appengine-java?hl=en.
