Thanks Didier. I will look into it while waiting to see if Google can respond on what the UserService returns in this case and if it can be used.
My first thought was that it would be pretty easy for someone to construct a request with those headers present and valid values (especially for the "default" queue), especially to pass the "generic" security filter I'd like to write. regards -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to google-appengine-j...@googlegroups.com. To unsubscribe from this group, send email to google-appengine-java+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.