I've been playing around with security in my test app, and was hoping
someone could confirm my understanding of things.
I have the following in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Site</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Which as far as I can tell forces everyone through the Google login no
matter what URL they use. Is this correct?
I also have
<filter-mapping>
<filter-name>IdentityCheck</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Which as far as I can tell only invokes the filter if a servlet is being
invoked. It will not invoke a filter for any static content such as an HTML
file. Is this correct?
I wanted to set up a second level of authentication to force people to
register another identity with the site, and I thought I could do this with
the filter by comparing their google ID with a of previously authenticated
google IDs. That is, they would only have to go through second level
authentication once, and then the app would automatically them through once
they authenticated their Google ID.
But if filters only run when invoking a servlet, then static content cannot
be protect this way because the second level of authentication will never
get invoked.
Am I understanding this all correctly?
Is there any other mechanism I can use to implement this second level of
authentication that does cover static content too?
Cheers, Eric
--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To post to this group, send email to google-appengine@googlegroups.com.
To unsubscribe from this group, send email to
google-appengine+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en.
