You are correct. Google stores and serves static files differently than Filters/Servlets/Resources. I know of two alternatives:
1. Store your files as resources 2. Store static content in Datastore Erick On Fri, May 13, 2011 at 6:49 PM, Eric Kolotyluk <eric.koloty...@gmail.com>wrote: > I've been playing around with security in my test app, and was hoping > someone could confirm my understanding of things. > > I have the following in my web.xml > > <security-constraint> > <web-resource-collection> > <web-resource-name>Protected Site</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>*</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > Which as far as I can tell forces everyone through the Google login no > matter what URL they use. Is this correct? > > I also have > > <filter-mapping> > <filter-name>IdentityCheck</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > Which as far as I can tell only invokes the filter if a servlet is being > invoked. It will not invoke a filter for any static content such as an HTML > file. Is this correct? > > I wanted to set up a second level of authentication to force people to > register another identity with the site, and I thought I could do this with > the filter by comparing their google ID with a of previously authenticated > google IDs. That is, they would only have to go through second level > authentication once, and then the app would automatically them through once > they authenticated their Google ID. > > But if filters only run when invoking a servlet, then static content cannot > be protect this way because the second level of authentication will never > get invoked. > > Am I understanding this all correctly? > > Is there any other mechanism I can use to implement this second level of > authentication that does cover static content too? > > Cheers, Eric > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to google-appengine@googlegroups.com. > To unsubscribe from this group, send email to > google-appengine+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.