Re: [appengine-java] proxying datastore request
This seems like something you might do in a servlet filter. Have you considered user specific namespaces if you completely want user data in silos? You can set the namespace in the servlet filter: http://code.google.com/appengine/docs/java/multitenancy/multitenancy.html -- Ikai Lan Developer Programs Engineer, Google App Engine plus.ikailan.com | twitter.com/ikai On Wed, Jan 11, 2012 at 12:31 PM, meiaestro jmalbre...@gmx.de wrote: Thanks for the reply. ** ** You're right. I did not use the Users API, as I do not want to force the users to have a google account (or any other existing account). This will be optional at a later point in time. ** ** The user authentication happens on server side by a self-programmed algorithm. Username and the hash values of the user's password are stored in the datastore. So far this authentication is independent from any session ID. Hope this helps a bit. -- You received this message because you are subscribed to the Google Groups Google App Engine for Java group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine-java/-/_MQ2fHNOUqsJ. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en. -- You received this message because you are subscribed to the Google Groups Google App Engine for Java group. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
[appengine-java] proxying datastore request
Hi all! I was thinking about making my RPC calls to the server (datastore commands) more secure against java script or data stream modifications on client side (when user is already signed in and validated). Problem: - right now all datastore requests are transmitted 1:1 from client to server via RPC calls. - a logged in user could manipulate the RPC call (he could for example exchange his userID by the ID of someone else and access the data of this user) - to avoid that I need to verify that the user ID matches the session ID assigned when he logged in. - Idea: I want to proxy every request through a single method on server side and only if the user is validated against his session the specified server method is called. Not a clue how to implement: - specify an Interface with all datastore methods available. - sending a method call (which is defined by the interface) via RPC call to the server - within the proxy method on server side verify the user and execute the method call - if applicable return the return value asynchonously Is this a common approach? If not, what is a common approach? And also: How can one avoid thievery of the session ID? I would appreciate any hint. Thanks greetings. -- You received this message because you are subscribed to the Google Groups Google App Engine for Java group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine-java/-/V2AK2IBABxkJ. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
Re: [appengine-java] proxying datastore request
Hi there! - a logged in user could manipulate the RPC call (he could for example exchange his userID by the ID of someone else and access the data of this user) - to avoid that I need to verify that the user ID matches the session ID assigned when he logged in. Can you describe how your code works that makes this an issue? If you're using the Users API, it shouldn't be a problem, but I suspect you are doing something where a native client call is directly translated to a low level datastore API call. -- Ikai Lan Developer Programs Engineer, Google App Engine plus.ikailan.com | twitter.com/ikai On Wed, Jan 11, 2012 at 7:18 AM, meiaestro jmalbre...@gmx.de wrote: Hi all! ** ** I was thinking about making my RPC calls to the server (datastore commands) more secure against java script or data stream modifications on client side (when user is already signed in and validated). ** ** Problem: - right now all datastore requests are transmitted 1:1 from client to server via RPC calls. - a logged in user could manipulate the RPC call (he could for example exchange his userID by the ID of someone else and access the data of this user) - to avoid that I need to verify that the user ID matches the session ID assigned when he logged in. - Idea: I want to proxy every request through a single method on server side and only if the user is validated against his session the specified server method is called. ** ** Not a clue how to implement: - specify an Interface with all datastore methods available. - sending a method call (which is defined by the interface) via RPC call to the server - within the proxy method on server side verify the user and execute the method call - if applicable return the return value asynchonously Is this a common approach? If not, what is a common approach? And also: How can one avoid thievery of the session ID? I would appreciate any hint. Thanks greetings. -- You received this message because you are subscribed to the Google Groups Google App Engine for Java group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine-java/-/V2AK2IBABxkJ. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en. -- You received this message because you are subscribed to the Google Groups Google App Engine for Java group. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
Re: [appengine-java] proxying datastore request
Thanks for the reply. You're right. I did not use the Users API, as I do not want to force the users to have a google account (or any other existing account). This will be optional at a later point in time. The user authentication happens on server side by a self-programmed algorithm. Username and the hash values of the user's password are stored in the datastore. So far this authentication is independent from any session ID. Hope this helps a bit. -- You received this message because you are subscribed to the Google Groups Google App Engine for Java group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine-java/-/_MQ2fHNOUqsJ. To post to this group, send email to google-appengine-java@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
