On Sat, Dec 10, 2011 at 6:26 AM, BoulderGae <[email protected]> wrote: > The user service will always return null when cron is calling. The > way to tell that cron is calling is to check for the "X-AppEngine- > Cron" header. It is set by the cron service and is stripped from all > other calls to your URLs. That is the best you can do until the GAE > cron service is better integrated into the user service.
Thanks for all suggestions - I knew the X-AppEngine-Cron Header, but that's more obscurity and nor really security. I was also thinking checking IPs - but that seems to be too complicated and error prone and not secure enough as well... Thanks a lot for all your suggestions :) I guess I have to work around that... Best, Raphael > > scott > > On Dec 8, 4:08 am, Raphael André Bauer <[email protected]> > wrote: >> Hi, >> >> I am currently trying to secure my urls that are accessed by cron jobs / >> tasks. >> >> Normally I would use web.xml like that: >> >> <security-constraint> >> <web-resource-collection> >> <web-resource-name>Protected Area</web-resource-name> >> <url-pattern>/cron/*</url-pattern> >> </web-resource-collection> >> <auth-constraint> >> <role-name>admin</role-name> >> </auth-constraint> >> </security-constraint> >> >> However, I got a constraint, where these urls should be allowed to be >> triggered by other authentification mechanisms. >> >> Therefore I tried to use the UserService if a authenticated user is >> hitting the url. I though cron is an authenticated user... >> >> UserService userService = UserServiceFactory.getUserService(); >> >> if (!userService.isUserLoggedIn()) { >> >> //do nothing >> >> >> >> } else if (!userService.isUserAdmin()) { >> //do nothing >> } >> >> //allow stuff to work... >> >> } >> >> But I do not get a logged in user when cron is programmatically hitting my >> urls. >> >> Is there a way to determine if google app engine is hitting my urls >> without using web.xml security constraints? >> >> Thanks, >> >> Best, >> >> Raphael > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine for Java" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-appengine-java?hl=en. > -- inc: http://ars-machina.raphaelbauer.com tech: http://ars-codia.raphaelbauer.com web: http://raphaelbauer.com -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
