If I understand what you are saying, I could make every URL map to a
servlet, and let the servlet return the specific static pages.
Or can I just put my folder of HTML into the resources section, and not
have to write another servlet?
Cheers, Eric
On 2011-05-13 6:52 PM, Erick Fleming wrote:
You are correct. Google stores and serves static files differently
than Filters/Servlets/Resources. I know of two alternatives:
1. Store your files as resources
2. Store static content in Datastore
Erick
On Fri, May 13, 2011 at 6:49 PM, Eric Kolotyluk
<eric.koloty...@gmail.com <mailto:eric.koloty...@gmail.com>> wrote:
I've been playing around with security in my test app, and was
hoping someone could confirm my understanding of things.
I have the following in my web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Site</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Which as far as I can tell forces everyone through the Google
login no matter what URL they use. Is this correct?
I also have
<filter-mapping>
<filter-name>IdentityCheck</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Which as far as I can tell only invokes the filter if a servlet is
being invoked. It will not invoke a filter for any static content
such as an HTML file. Is this correct?
I wanted to set up a second level of authentication to force
people to register another identity with the site, and I thought I
could do this with the filter by comparing their google ID with a
of previously authenticated google IDs. That is, they would only
have to go through second level authentication once, and then the
app would automatically them through once they authenticated their
Google ID.
But if filters only run when invoking a servlet, then static
content cannot be protect this way because the second level of
authentication will never get invoked.
Am I understanding this all correctly?
Is there any other mechanism I can use to implement this second
level of authentication that does cover static content too?
Cheers, Eric
--
You received this message because you are subscribed to the Google
Groups "Google App Engine" group.
To post to this group, send email to
google-appengine@googlegroups.com
<mailto:google-appengine@googlegroups.com>.
To unsubscribe from this group, send email to
google-appengine+unsubscr...@googlegroups.com
<mailto:google-appengine%2bunsubscr...@googlegroups.com>.
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en.
--
You received this message because you are subscribed to the Google
Groups "Google App Engine" group.
To post to this group, send email to google-appengine@googlegroups.com.
To unsubscribe from this group, send email to
google-appengine+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en.
--
You received this message because you are subscribed to the Google Groups "Google
App Engine" group.
To post to this group, send email to google-appengine@googlegroups.com.
To unsubscribe from this group, send email to
google-appengine+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en.