[appengine-java] proxying datastore request
Hi all! I was thinking about making my RPC calls to the server (datastore commands) more secure against java script or data stream modifications on client side (when user is already signed in and validated). Problem: - right now all datastore requests are transmitted 1:1 from client to server via RPC calls. - a logged in user could manipulate the RPC call (he could for example exchange his userID by the ID of someone else and access the data of this user) - to avoid that I need to verify that the user ID matches the session ID assigned when he logged in. - Idea: I want to proxy every request through a single method on server side and only if the user is validated against his session the specified server method is called. Not a clue how to implement: - specify an Interface with all datastore methods available. - sending a "method call" (which is defined by the interface) via RPC call to the server - within the proxy method on server side verify the user and execute the "method call" - if applicable return the return value asynchonously Is this a common approach? If not, what is a common approach? And also: How can one avoid thievery of the session ID? I would appreciate any hint. Thanks & greetings. -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine-java/-/V2AK2IBABxkJ. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
[appengine-java] how to get the correct time for germany?
hi everyone. since the days are getting longer, i noticed that in 2 months ill have an error with my getTime() Method, which gives me the current time in a "human friendly" way. /** **dd.mm. hh:mm:ss **/ public static String getTimeAsStringTest(){ Calendar cal = Calendar.getInstance(); cal.setTimeZone(TimeZone.getTimeZone("Germany/Berlin")); int mod = 1; //Wintertime +1, Summertime +2 cal.set(cal.get(Calendar.YEAR), cal.get(Calendar.MONTH), cal.get(Calendar.DATE), cal.get(Calendar.HOUR_OF_DAY)+mod, cal.get(Calendar.MINUTE)); DateFormat df = DateFormat.getDateTimeInstance( MEDIUM, MEDIUM, Locale.GERMANY ); return df.format(cal.getTime()); } i dont want to change the mod every 6 months (or how long the daylight saving time might be, i dont care^^). i would prefer it very much if it would give me the correct time without adding 1 or 2 hours to the time the calendar gives me... how do i archive this, without using something ugly like a list or some 42 page long if else if statements which knows when to use +1 and when to use +2?... -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine-java/-/IWBzB3-VB4oJ. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
[appengine-java] Re: how to get the correct time for germany?
The code below is how I do this. It works for summer and winter times automajically. public static final Locale G_LOCALE_UK = Locale.UK; public static final String G_S_TIME_ZONE_ID = "Europe/London"; /** * Converts a date-time in Universal Time Co-ordinated (UTC) time * into a formatted string of that date-time translated to UK local time * (GMT or BST depending on the time of year). * @param nDateStyle * The date formatting style to be applied. * @param nTimeStyle * The time formatting style to be applied. * @param dtDateTime * A date-time (in UTC time). * If this is null then an empty string is returned. * @return * The date-time translated to UK local time formatted as a string. */ public static String dateTimeUTCToStringLocalTime(int nDateStyle, int nTimeStyle, Date dtDateTime) { String sDate = ""; if (dtDateTime != null) { GregorianCalendar gcUK = new GregorianCalendar(G_LOCALE_UK); TimeZone tzUK = TimeZone.getTimeZone(G_S_TIME_ZONE_ID); gcUK.setTimeZone(tzUK); gcUK.setTime(dtDateTime); DateFormat dfUK = SimpleDateFormat.getDateTimeInstance(nDateStyle, nTimeStyle, G_LOCALE_UK); dfUK.setCalendar(gcUK); sDate = dfUK.format(dtDateTime); } return sDate; } // Example usage of the method String sDT = dateTimeUTCToStringLocalTime(SimpleDateFormat.MEDIUM, SimpleDateFormat.MEDIUM, new Date()); Just alter the two constants to reflect Germany instead of their current values which reflect the UK. Enjoy? On Jan 11, 3:24 pm, vega <_v...@vr-web.de> wrote: > hi everyone. > > since the days are getting longer, i noticed that in 2 months ill have an > error with my getTime() Method, which gives me the current time in a "human > friendly" way. > > /** > **dd.mm. hh:mm:ss > **/ > public static String getTimeAsStringTest(){ > Calendar cal = Calendar.getInstance(); > cal.setTimeZone(TimeZone.getTimeZone("Germany/Berlin")); > > int mod = 1; //Wintertime +1, Summertime +2 > > cal.set(cal.get(Calendar.YEAR), cal.get(Calendar.MONTH), > cal.get(Calendar.DATE), cal.get(Calendar.HOUR_OF_DAY)+mod, > cal.get(Calendar.MINUTE)); > DateFormat df = DateFormat.getDateTimeInstance( MEDIUM, MEDIUM, > Locale.GERMANY ); > return df.format(cal.getTime()); > } > > i dont want to change the mod every 6 months (or how long the daylight > saving time might be, i dont care^^). > i would prefer it very much if it would give me the correct time without > adding 1 or 2 hours to the time the calendar gives me... > > how do i archive this, without using something ugly like a list or some 42 > page long if else if statements which knows when to use +1 and when to use > +2?... -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
Re: [appengine-java] proxying datastore request
Hi there! "- a logged in user could manipulate the RPC call (he could for example exchange his userID by the ID of someone else and access the data of this user) - to avoid that I need to verify that the user ID matches the session ID assigned when he logged in." Can you describe how your code works that makes this an issue? If you're using the Users API, it shouldn't be a problem, but I suspect you are doing something where a native client call is directly translated to a low level datastore API call. -- Ikai Lan Developer Programs Engineer, Google App Engine plus.ikailan.com | twitter.com/ikai On Wed, Jan 11, 2012 at 7:18 AM, meiaestro wrote: > Hi all! > > ** ** > > I was thinking about making my RPC calls to the server (datastore > commands) more secure against java script or data stream modifications on > client side (when user is already signed in and validated). > > ** ** > > Problem: > > - right now all datastore requests are transmitted 1:1 from client to > server via RPC calls. > > - a logged in user could manipulate the RPC call (he could for > example exchange his userID by the ID of someone else and access the data > of this user) > > - to avoid that I need to verify that the user ID matches the session ID > assigned when he logged in. > > - Idea: I want to proxy every request through a single method on server > side and only if the user is validated against his session the specified > server method is called. > > ** ** > > Not a clue how to implement: > > - specify an Interface with all datastore methods available. > > - sending a "method call" (which is defined by the interface) via RPC call > to the server > > - within the proxy method on server side verify the user and execute the > "method call" > > - if applicable return the return value asynchonously > > > Is this a common approach? If not, what is a common approach? And also: > How can one avoid thievery of the session ID? > > > I would appreciate any hint. > > Thanks & greetings. > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine for Java" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/google-appengine-java/-/V2AK2IBABxkJ. > To post to this group, send email to > google-appengine-java@googlegroups.com. > To unsubscribe from this group, send email to > google-appengine-java+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-appengine-java?hl=en. > -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
Re: [appengine-java] proxying datastore request
Thanks for the reply. You're right. I did not use the Users API, as I do not want to force the users to have a google account (or any other existing account). This will be optional at a later point in time. The user authentication happens on server side by a self-programmed algorithm. Username and the hash values of the user's password are stored in the datastore. So far this authentication is independent from any session ID. Hope this helps a bit. -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine-java/-/_MQ2fHNOUqsJ. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
[appengine-java]
Ok tnx! -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
[appengine-java] Minor update to Java SDK: 1.6.1.1
Hey everyone, There's a new version of the Java SDK available for download. You can get it here: http://code.google.com/p/googleappengine/downloads/detail?name=appengine-java-sdk-1.6.1.1.zip It's a minor version bump. We had to address an issue with the Java SDK that was causing CSS files to upload with an empty mime-type, breaking CSS rendering in many browsers. The official App Engine download page will be updated shortly. We recommend that anyone developing Java apps using SDK version 1.6.1 upgrade to this version. I want to thank everyone who helps us nail this bug, namely, Jon, Brandon, Raffaele, Pieter and James. If I missed your name I apologize! Every bit of information was helpful. -- Ikai Lan Developer Programs Engineer, Google App Engine plus.ikailan.com | twitter.com/ikai -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
Re: [appengine-java] Re: problem with Content-type: null with css files
We have an SDK update that resolves this issue on upload (I've also posted in a separate thread about this): http://code.google.com/p/googleappengine/downloads/detail?name=appengine-java-sdk-1.6.1.1.zip -- Ikai Lan Developer Programs Engineer, Google App Engine plus.ikailan.com | twitter.com/ikai On Tue, Jan 10, 2012 at 3:38 PM, Shawn Brown wrote: > > We think we know what's happening. This is something that is happening at > > app upload time. Can you try setting a new version name for your app, > then > > passing the --no_batch option when using appcfg.sh? > > > > appcfg.sh --no_batch update [YOUR_WAR_DIRECTORY] > > > Seems to solve it. I can't reproduce the error as I did by just > modifying the spaces in comments in the css file anymore. > > Shawn > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine for Java" group. > To post to this group, send email to > google-appengine-java@googlegroups.com. > To unsubscribe from this group, send email to > google-appengine-java+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-appengine-java?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.