This is an actual bug and best reported on our Public Issue Tracker. I noticed that your Issue Tracker case was mistakenly closed but I have reopened it. I will assist you there.
On Wednesday, August 29, 2018 at 9:19:23 PM UTC-4, Azeem Haider wrote: > > I want that random internet traffic can't access it. I'm using cloud > endpoints v2 for java. My problem is that anyone can access these endpoints > method through API Explorer or from directly URL someone know. I want to > protect my endpoints. I read documentation how to restrict Whole API or > some methods by using API KEY. > https://cloud.google.com/endpoints/docs/frameworks/java/restricting-api-access-with-api-keys-frameworks > > > Here is what I'm trying. > > @Api( > name = "zeem", > version = "v1" > ) > > public class Account { > @ApiMethod(name = "getRegistration", path = "getRegistration", > apiKeyRequired = AnnotationBoolean.TRUE) > public Registered getRegistration(@Named("phone") Long phone){ > // code .... > } > > I can run this method without any API key from API Explorer and it is > working successfully. > Even I try it to access this method directly from url its also working. > Successfully returning the correct data. > > I'm adding API management Here how openapi.json look like for this > function. > > "/zeem/v1/getRegistration": { > "get": { > "operationId": "ZeemGetRegistration", > "parameters": [ > { > "name": "phone", > "in": "query", > "required": true, > "type": "integer", > "format": "int64" > } > ], > "responses": { > "200": { > "description": "A successful response", > "schema": { > "$ref": "#/definitions/Registered" > } > } > }, > "security": [ > { > "api_key": [ ] > } > ] > } > }, > > See the below image how Endpoint services look like in GCP console. > > [image: endpoint.PNG] > > > Here is my Web.xml. > > <?xml version="1.0" encoding="utf-8"?> > <!-- [START_EXCLUDE] --> > <!-- > Copyright 2016 Google Inc. > Licensed under the Apache License, Version 2.0 (the "License"); > you may not use this file except in compliance with the License. > You may obtain a copy of the License at > http://www.apache.org/licenses/LICENSE-2.0 > <https://www.google.com/url?q=http://www.apache.org/licenses/LICENSE-2.0&sa=D&usg=AFQjCNHsvupiWzDOb7O6KJ99QULsmOON3g> > Unless required by applicable law or agreed to in writing, software > distributed under the License is distributed on an "AS IS" BASIS, > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > See the License for the specific language governing permissions and > limitations under the License. > --> > <!-- [END_EXCLUDE] --> > <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee > <https://www.google.com/url?q=http://xmlns.jcp.org/xml/ns/javaee&sa=D&usg=AFQjCNHGvubxto4lIQbl5Vv94MYt3axGUQ> > " > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance > <https://www.google.com/url?q=http://www.w3.org/2001/XMLSchema-instance&sa=D&usg=AFQjCNFsclzLqabE3vsjL8lude_KsXKzAw> > " > xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee > <https://www.google.com/url?q=http://xmlns.jcp.org/xml/ns/javaee&sa=D&usg=AFQjCNHGvubxto4lIQbl5Vv94MYt3axGUQ> > http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd > <https://www.google.com/url?q=http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd&sa=D&usg=AFQjCNHrZVe6uAzeVVw8gz2MF72CxhjY2Q> > " > version="3.1"> > > <welcome-file-list> > <welcome-file>welcome</welcome-file> > </welcome-file-list> > > <!-- OBJECTIFY --> > <filter> > <filter-name>ObjectifyFilter</filter-name> > <filter-class>com.googlecode.objectify.ObjectifyFilter</filter-class> > </filter> > <filter-mapping> > <filter-name>ObjectifyFilter</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <!-- ENDPOINTS --> > <servlet> > <servlet-name>EndpointsServlet</servlet-name> > <servlet-class>com.google.api.server.spi.EndpointsServlet > </servlet-class> > <init-param> > <param-name>services</param-name> > <param-value> > org.octabyte.zeem.API.Account, > org.octabyte.zeem.API.CommentApi, > org.octabyte.zeem.API.FriendApi, > org.octabyte.zeem.API.ListApi, > org.octabyte.zeem.API.PostApi, > org.octabyte.zeem.API.SearchApi, > org.octabyte.zeem.API.UserApi, > org.octabyte.zeem.API.StoryApi > </param-value> > </init-param> > </servlet> > <!-- Route API method requests to the backend. --> > <servlet-mapping> > <servlet-name>EndpointsServlet</servlet-name> > <url-pattern>/_ah/api/*</url-pattern> > </servlet-mapping> > > > <!-- Security --> > <security-role> > <role-name>admin</role-name> > </security-role> > <security-constraint> > <web-resource-collection> > <web-resource-name>admin</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>admin</role-name> > </auth-constraint> > </security-constraint> > > </web-app> > > And Here is how my pom.xml look like. > > <!-- Copyright 2016 Google Inc. Licensed under the Apache License, Version > 2.0 (the "License"); you may not use this file except in > compliance with > the License. You may obtain a copy of the License at > http://www.apache.org/licenses/LICENSE-2.0 > <https://www.google.com/url?q=http://www.apache.org/licenses/LICENSE-2.0&sa=D&usg=AFQjCNHsvupiWzDOb7O6KJ99QULsmOON3g> > > Unless required by applicable law or agreed to in writing, > software distributed > under the License is distributed on an "AS IS" BASIS, WITHOUT > WARRANTIES > OR CONDITIONS OF ANY KIND, either express or implied. See the > License for > the specific language governing permissions and limitations under > the License. --> > <project> > <modelVersion>4.0.0</modelVersion> > <packaging>war</packaging> > <version>1.0-SNAPSHOT</version> > <groupId>com.azeem.endpoint</groupId> > <artifactId>endpoint</artifactId> > > > <!-- [START properties] --> > <properties> > <!-- OBJECTIFY --> > <objectify.version>5.1.5</objectify.version> > <guava.version>19.0</guava.version> > > <!-- ENDPOINTS --> > <endpoints.framework.version>2.0.8 > </endpoints.framework.version> > <endpoints.management.version>1.0.4 > </endpoints.management.version> > <endpoints.project.id > <https://www.google.com/url?q=http://endpoints.project.id&sa=D&usg=AFQjCNHVmh5jRdvKZFAnw5ZTJHRMOkYtEg> > >my-profect-id</endpoints.project.id > <https://www.google.com/url?q=http://endpoints.project.id&sa=D&usg=AFQjCNHVmh5jRdvKZFAnw5ZTJHRMOkYtEg> > > > > <maven.compiler.target>1.8</maven.compiler.target> > <maven.compiler.source>1.8</maven.compiler.source> > </properties> > <!-- [END properties] --> > > <dependencies> > > <!-- Firebase push Notification --> > <dependency> > <groupId>com.google.firebase</groupId> > <artifactId>firebase-admin</artifactId> > <version>6.2.0</version> > </dependency> > <!-- End Firebase push Notification--> > > <!-- GEO HASH --> > <dependency> > <groupId>de.alpharogroup</groupId> > <artifactId>jgeohash-core</artifactId> > <version>2.4.0</version> > </dependency> > <!-- END GEO HASH --> > > <!-- [START Objectify_Dependencies] --> > <dependency> > <groupId>com.google.guava</groupId> > <artifactId>guava</artifactId> > <version>${guava.version}</version> > </dependency> > <dependency> > <groupId>com.googlecode.objectify</groupId> > <artifactId>objectify</artifactId> > <version>${objectify.version}</version> > </dependency> > <!-- [END Objectify_Dependencies] --> > > <!-- ENDPOINTS --> > <dependency> > <groupId>com.google.endpoints</groupId> > <artifactId>endpoints-framework</artifactId> > <version>${endpoints.framework.version}</version> > </dependency> > > <dependency> > <groupId>com.google.endpoints</groupId> > <artifactId> > endpoints-management-control-appengine-all</artifactId> > <version>1.0.5</version> > </dependency> > > <!-- Parent POM defines ${appengine.sdk.version} (updates > frequently). --> > <dependency> > <groupId>com.google.appengine</groupId> > <artifactId>appengine-api-1.0-sdk</artifactId> > <version>1.9.57</version> > </dependency> > > <dependency> > <groupId>javax.servlet</groupId> > <artifactId>javax.servlet-api</artifactId> > <version>3.1.0</version> > <type>jar</type> > <scope>provided</scope> > </dependency> > > <dependency> > <groupId>jstl</groupId> > <artifactId>jstl</artifactId> > <version>1.2</version> > </dependency> > > <dependency> > <groupId>com.google.api-client</groupId> > <artifactId>google-api-client-appengine > </artifactId> > <version>1.23.0</version> > </dependency> > > > </dependencies> > <build> > <!-- for hot reload of the web application --> > > > <outputDirectory> > ${project.build.directory}/${project.build.finalName}/WEB-INF/classes > </outputDirectory> > <plugins> > <plugin> > <groupId>org.apache.maven.plugins > </groupId> > <artifactId>maven-war-plugin</artifactId> > <version>3.0.0</version> > <configuration> > <webResources> > <!-- in order to > interpolate version from pom into appengine-web.xml --> > <resource> > <directory> > ${basedir}/src/main/webapp/WEB-INF</directory> > <filtering>true > </filtering> > <targetPath> > WEB-INF</targetPath> > </resource> > </webResources> > </configuration> > </plugin> > > <plugin> > <groupId>com.google.cloud.tools</groupId> > <artifactId>appengine-maven-plugin > </artifactId> > <version>1.3.1</version> > <configuration> > <deploy.promote>true > </deploy.promote> > <deploy.stopPreviousVersion>true > </deploy.stopPreviousVersion> > </configuration> > </plugin> > > <plugin> > <groupId>com.google.cloud.tools</groupId> > <artifactId> > endpoints-framework-maven-plugin</artifactId> > <version>1.0.2</version> > <configuration> > <!-- plugin configuration --> > <hostname>${endpoints.project.id > <https://www.google.com/url?q=http://endpoints.project.id&sa=D&usg=AFQjCNHVmh5jRdvKZFAnw5ZTJHRMOkYtEg> > }.appspot.com > <https://www.google.com/url?q=http://appspot.com&sa=D&usg=AFQjCNErPo0F0Uf1LXFg60Rkv7gV_259-g> > </hostname> > </configuration> > </plugin> > > </plugins> > </build> > </project> > > Can you please let me know what I'm missing. Because I can access endpoint > methods without any API key. > I also posted a question on Stackoverflow right here > https://stackoverflow.com/questions/52005671/restricting-my-endpoints-with-api-key-in-java > > <https://www.google.com/url?q=https://stackoverflow.com/questions/52005671/restricting-my-endpoints-with-api-key-in-java&sa=D&usg=AFQjCNGW0lZTE6G5jZHyXuo6Uv7ihNKjtw> > > > > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/c9f35661-18d4-46b1-8b8e-5e8213937f17%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
