[appengine-java] Re: Checking admin priviledges using UserService in a cron/task-queue task execution

[andrew]

Thanks Didier.

I will look into it while waiting to see if Google can respond on what
the UserService returns in this case and if it can be used.

My first thought was that it would be pretty easy for someone to
construct a request with those headers present and valid values
(especially for the default queue), especially to pass the generic
security filter I'd like to write.

regards

-- 
You received this message because you are subscribed to the Google Groups 
Google App Engine for Java group.
To post to this group, send email to google-appengine-j...@googlegroups.com.
To unsubscribe from this group, send email to 
google-appengine-java+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/google-appengine-java?hl=en.

[appengine-java] Re: Checking admin priviledges using UserService in a cron/task-queue task execution

[Didier Durand]

Hi,

To check if your code is running as a task, you can use the specific
http headers added by GAE: QueueName, TaskName, RetryCount. See
http://code.google.com/appengine/docs/java/taskqueue/overview.html#Task_Request_Headers

If additionally. you made the right security restrictions, you are
pretty safe to assume that you are Admin in a task if those headers
are here.
For the security constraint, see
http://code.google.com/appengine/docs/java/taskqueue/overview.html#Securing_URLs_for_Tasks

It's exactly the same idea for cron jobs: see
http://code.google.com/appengine/docs/java/config/cron.html#Securing_URLs_for_Cron.

So, not a direct answer to your question but a way to reach your goal.

Hope it helps
didier

On Dec 4, 2:38 pm, andrew aute...@gmail.com wrote:
 I am trying to debug some issues with task execution and have a
 question.

 Background
 ==
 Documentation states that tasks (cron and task queue) are executed by
 a system process with admin priviledges.

 To protect task execution from unauthorized execution I originally
 protected them with a security constraint in the web.xml file. That
 seemed to work OK.

 Now, for other reasons, I'd like to protect them with code of my own
 in a filter.

 I have been trying to confirm admin priviledges in the filter, using
 code like this:

         public boolean isAdmin() {
                 UserService user = UserServiceFactory.getUserService();

                 if ( user.isUserLoggedIn() ) {
                         return user.isUserAdmin();
                 }
                 else {
                         return false;
                 }
          }

 and I also tried directly:
          return user.isUserAdmin();

 without checking for login first.

 Problem
 ===
 In both cases this seems to return false, even when when the request
 comes from the system to run a task-queue task.
 Despite the statement that these requests are run as admin.

 Question:
 ===
 Can I use the UserService to check admin permissions when the code is
 being run in a request started by the system to serve a cron or task-
 queue task?

 thanks!

-- 
You received this message because you are subscribed to the Google Groups 
Google App Engine for Java group.
To post to this group, send email to google-appengine-j...@googlegroups.com.
To unsubscribe from this group, send email to 
google-appengine-java+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/google-appengine-java?hl=en.