To further expand on what others have suggested, you can implement this using cookies and authentication similar to what Google Accounts does for App Engine. The flow would go something like this:
1) Your app generates a token for the currently logged in user, consisting of their username and the current datetime HMACed with a secret that only your app and the third-party site knows 2) Your app sends a 302 redirect to the user, redirecting them to a login URL on the third-party server, and containing the token you generated in step 1, along with a 'continue' URL. 3) The third party server receives and verifies the request with the token, and issues the user a session cookie identifying them as logged in, as well as a 302 redirect back to the continue URL you specified in step 2. 4) Serve up links to files on the third-party service as per normal. The third-party service checks for the presence and validity of the session cookie generated in step 3 before serving files to a user. This way, there's no need for 'secret' or expiring URLs. You can also reverse the flow - have the third-party server redirect to you if the user is not authenticated, have a handler on your app that generates the token and redirects back to the third-party server. This may be the better option, in fact. You may find it simpler to use something like OAuth to achieve this, which will take care of everything except issuing and validating the cookie. Or you might find it easier to do yourself - but you run the risk of making a mistake that makes your service vulnerable, of course. Don't take my off-the-cuff description of how to generate the token as gospel, naturally. -Nick On Mon, Aug 3, 2009 at 4:04 AM, jivany<[email protected]> wrote: > > I've been unsuccessfully searching through the group for some pointers > on how to implement this. > > Here's my scenario - I want to be able to push large images and videos > online, files that would be larger than the current App Engine > limits. I want to control access to these files as if they were blobs > in an App Engine datastore (simple stuff like controlling who can view > them) but I want to store them on a third party server (that I have > control over). Obviously, a direct URL to the image isn't good as > anyone could find that. I'd need a simple backend script running on > the third-party server. > > I don't really care about how the files are actually going to get > where they need to go, I can manage that. What I'm having trouble > with is how to setup that third-party server with a simple script that > would serve up the content when requested by the App Engine front end. > That script would have to check that the request is coming from the > front-end and for a valid (authorized) user. > > This seems like a pretty trivial thing to do but I can't figure out > what I need to pull it off. Any help is appreciated! > > > -- Nick Johnson, Developer Programs Engineer, App Engine --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
