Re: [google-appengine] security in task queue servlets
The only thing to look out for when naming Tasks is.. Task names are unique for a certain time period (I think its 7 days [I'm writing this on my phone so I won't be verifying that :) ]). This makes sure a task with the same name doesn't get added to the queue twice due to any errors. On 2/2/10, Patrick Linskey plins...@gmail.com wrote: Hi, That's a great suggestion -- thanks! I don't use task names for anything meaningful currently, so using it as a hashing channel should work great. Now that you've got me thinking about strong encryption vs. just checking local state, I wonder if maybe I should just sign the request payloads. (When I replied earlier, I had only read the first paragraph. I'm going to blame that on the small display on my phone. Meanwhile, my questions to Google still stands: do you make any guarantees about stripping client-provided headers, and do you have any plans to provide an API for checking the current request's roles in a way that works with task queues? -Patrick On Feb 1, 12:39 pm, Eli Jones eli.jo...@gmail.com wrote: That's why you have to use the TaskName and Hash method to verify that a Task was added to the queue in an orthodox manner. Unless someone knows the hash scheme you are using for TaskNames.. they will not be able to send in a (TaskName,getHash(TaskName)) pair that would get validated when the task started running.. Let me know if I'm not being clear in my suggestion.. this should do exactly what you want.. it would 100% prevent a person from accidentally visiting the URL and running a task (since it checks for the TaskName header).. and it would pretty much prevent some random person from trying to impersonate a task by sending a Post to the task URL.. They would have to know the correct hash to send along with the TaskName they are spoofing.. On Mon, Feb 1, 2010 at 3:29 PM, Patrick Linskey plins...@gmail.com wrote: (and Require Admin login isn't enough) That would be enough, but the only way to do that is to put the limitation in the web.xml file, which is pretty far away from the servlet in question. I want to make sure that someone doesn't accidentally mis-configure the web.xml file to remove the admin restriction. And I'd really rather not parse web.xml and apply all the appropriate rules to do so. Also, I don't know whether or not Google guarantees that the X- AppEngine-TaskName header is stripped from malicious incoming requests. It looks like it does, but that's just based on my observations. Thanks, -Patrick On Feb 1, 11:02 am, Eli Jones eli.jo...@gmail.com wrote: If you have a compelling reason for really locking down the task queue url (and Require Admin login isn't enough), you could create a mechanism that creates a task name for each queued task.. and the task verifies that its name is correct. You could have the task use the X-AppEngine-TaskName header to check its name.. So.. when you add a task to the queue.. you do something like this: taskName = getUniqueTaskName() nameHash = getHash(taskName) taskqueue.add(url = '/myTaskQueue', countdown = 0, name = taskName, params = {'nameHash' : nameHash}) and.. in the first part of the /myTaskQueue code.. you could have it verify that the 'nameHash' param is equal to getHash() of the TaskName you grab from the header.. On Sat, Jan 30, 2010 at 4:07 PM, Patrick Linskey plins...@gmail.com wrote: Hi, I'd like to programmatically ensure that my task queue servlets are only invoked via the task queue. I've got a security constraint in my web.xml, but I'd like to also check in code to avoid any potential mis- configuration in the future. Is there any supported means to do such a check? I tried looking at the contents of the HttpServletRequest (isUserInRole (), getAuthType(), getUserPrincipal(), getRemoteName()), to no avail. I also tried UserServiceFactory.getUserService().isAdmin(), but received an exception informing me that no user was logged in. I can see that there are a number of task queue-specific HTTP headers. Currently, I'm checking that X-AppEngine-TaskRetryCount is present, and if so, assuming that the request has come from the task queue and that it's therefore safe to process. Empirically, it looks like GAE strips out the X-AppEngine-TaskRetryCount header when I specify it in a curl-sourced request. Is this a safe assumption to rely on? Are there plans to document a reliable way to ensure servlet security in a task queue environment? Is there something else that I'm missing? Also, in an ideal world, it'd be nice if request.isUserInRole(admin) would return true at the appropriate times. Thanks, -Patrick -- You received this message because you are subscribed to the Google Groups
Re: [google-appengine] security in task queue servlets
If you have a compelling reason for really locking down the task queue url (and Require Admin login isn't enough), you could create a mechanism that creates a task name for each queued task.. and the task verifies that its name is correct. You could have the task use the X-AppEngine-TaskName header to check its name.. So.. when you add a task to the queue.. you do something like this: taskName = getUniqueTaskName() nameHash = getHash(taskName) taskqueue.add(url= '/myTaskQueue', countdown = 0, name = taskName, params = {'nameHash' : nameHash}) and.. in the first part of the /myTaskQueue code.. you could have it verify that the 'nameHash' param is equal to getHash() of the TaskName you grab from the header.. On Sat, Jan 30, 2010 at 4:07 PM, Patrick Linskey plins...@gmail.com wrote: Hi, I'd like to programmatically ensure that my task queue servlets are only invoked via the task queue. I've got a security constraint in my web.xml, but I'd like to also check in code to avoid any potential mis- configuration in the future. Is there any supported means to do such a check? I tried looking at the contents of the HttpServletRequest (isUserInRole (), getAuthType(), getUserPrincipal(), getRemoteName()), to no avail. I also tried UserServiceFactory.getUserService().isAdmin(), but received an exception informing me that no user was logged in. I can see that there are a number of task queue-specific HTTP headers. Currently, I'm checking that X-AppEngine-TaskRetryCount is present, and if so, assuming that the request has come from the task queue and that it's therefore safe to process. Empirically, it looks like GAE strips out the X-AppEngine-TaskRetryCount header when I specify it in a curl-sourced request. Is this a safe assumption to rely on? Are there plans to document a reliable way to ensure servlet security in a task queue environment? Is there something else that I'm missing? Also, in an ideal world, it'd be nice if request.isUserInRole(admin) would return true at the appropriate times. Thanks, -Patrick -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appeng...@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.comgoogle-appengine%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appeng...@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
Re: [google-appengine] security in task queue servlets
I believe that the App Engine injects the pertinent information from the Users service. For instance, when you call HttpServletRequest.getUserPrinicpal(), you're getting values injected by the UsersService. On Mon, Feb 1, 2010 at 11:02 AM, Eli Jones eli.jo...@gmail.com wrote: If you have a compelling reason for really locking down the task queue url (and Require Admin login isn't enough), you could create a mechanism that creates a task name for each queued task.. and the task verifies that its name is correct. You could have the task use the X-AppEngine-TaskName header to check its name.. So.. when you add a task to the queue.. you do something like this: taskName = getUniqueTaskName() nameHash = getHash(taskName) taskqueue.add(url= '/myTaskQueue', countdown = 0, name = taskName, params = {'nameHash' : nameHash}) and.. in the first part of the /myTaskQueue code.. you could have it verify that the 'nameHash' param is equal to getHash() of the TaskName you grab from the header.. On Sat, Jan 30, 2010 at 4:07 PM, Patrick Linskey plins...@gmail.comwrote: Hi, I'd like to programmatically ensure that my task queue servlets are only invoked via the task queue. I've got a security constraint in my web.xml, but I'd like to also check in code to avoid any potential mis- configuration in the future. Is there any supported means to do such a check? I tried looking at the contents of the HttpServletRequest (isUserInRole (), getAuthType(), getUserPrincipal(), getRemoteName()), to no avail. I also tried UserServiceFactory.getUserService().isAdmin(), but received an exception informing me that no user was logged in. I can see that there are a number of task queue-specific HTTP headers. Currently, I'm checking that X-AppEngine-TaskRetryCount is present, and if so, assuming that the request has come from the task queue and that it's therefore safe to process. Empirically, it looks like GAE strips out the X-AppEngine-TaskRetryCount header when I specify it in a curl-sourced request. Is this a safe assumption to rely on? Are there plans to document a reliable way to ensure servlet security in a task queue environment? Is there something else that I'm missing? Also, in an ideal world, it'd be nice if request.isUserInRole(admin) would return true at the appropriate times. Thanks, -Patrick -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appeng...@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.comgoogle-appengine%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appeng...@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.comgoogle-appengine%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en. -- Patrick H. Twohig. Namazu Studios P.O. Box 34161 San Diego, CA 92163-4161 Office: 619.862.2890 x100 Cell: 619.453.5075 Twitter: @svm_invictvs IRC: svm_invic...@irc.freenode.net ##java, #android-dev, #iphonedev, #appengine http://www.namazustudios.com/ This communication, and any attachments, shall be considered confidential and proprietary information of Namazu Studios LLC. This message, and attachments, are intended for the listed recipients only. If you are not one of the intended recipients, please destroy all copies of this communication. -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appeng...@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
[google-appengine] security in task queue servlets
Hi, I'd like to programmatically ensure that my task queue servlets are only invoked via the task queue. I've got a security constraint in my web.xml, but I'd like to also check in code to avoid any potential mis- configuration in the future. Is there any supported means to do such a check? I tried looking at the contents of the HttpServletRequest (isUserInRole (), getAuthType(), getUserPrincipal(), getRemoteName()), to no avail. I also tried UserServiceFactory.getUserService().isAdmin(), but received an exception informing me that no user was logged in. I can see that there are a number of task queue-specific HTTP headers. Currently, I'm checking that X-AppEngine-TaskRetryCount is present, and if so, assuming that the request has come from the task queue and that it's therefore safe to process. Empirically, it looks like GAE strips out the X-AppEngine-TaskRetryCount header when I specify it in a curl-sourced request. Is this a safe assumption to rely on? Are there plans to document a reliable way to ensure servlet security in a task queue environment? Is there something else that I'm missing? Also, in an ideal world, it'd be nice if request.isUserInRole(admin) would return true at the appropriate times. Thanks, -Patrick -- You received this message because you are subscribed to the Google Groups Google App Engine group. To post to this group, send email to google-appeng...@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.