I believe that the App Engine injects the pertinent information from the Users service. For instance, when you call HttpServletRequest.getUserPrinicpal(), you're getting values injected by the UsersService.
On Mon, Feb 1, 2010 at 11:02 AM, Eli Jones <[email protected]> wrote: > If you have a compelling reason for really locking down the task queue url > (and Require Admin login isn't enough), you could create a mechanism that > creates a task name for each queued task.. and the task verifies that its > name is "correct". > > You could have the task use the X-AppEngine-TaskName header to check its > name.. > > So.. when you add a task to the queue.. you do something like this: > > taskName = getUniqueTaskName() > nameHash = getHash(taskName) > > taskqueue.add(url = '/myTaskQueue', countdown = 0, > name = taskName, > params = {'nameHash' : nameHash}) > > and.. in the first part of the /myTaskQueue code.. you could have it verify > that the 'nameHash' param is equal to getHash() of the TaskName you grab > from the header.. > > > > On Sat, Jan 30, 2010 at 4:07 PM, Patrick Linskey <[email protected]>wrote: > >> Hi, >> >> I'd like to programmatically ensure that my task queue servlets are >> only invoked via the task queue. I've got a security constraint in my >> web.xml, but I'd like to also check in code to avoid any potential mis- >> configuration in the future. >> >> Is there any supported means to do such a check? >> >> I tried looking at the contents of the HttpServletRequest (isUserInRole >> (), getAuthType(), getUserPrincipal(), getRemoteName()), to no avail. >> I also tried UserServiceFactory.getUserService().isAdmin(), but >> received an exception informing me that no user was logged in. >> >> I can see that there are a number of task queue-specific HTTP headers. >> Currently, I'm checking that X-AppEngine-TaskRetryCount is present, >> and if so, assuming that the request has come from the task queue and >> that it's therefore safe to process. Empirically, it looks like GAE >> strips out the X-AppEngine-TaskRetryCount header when I specify it in >> a curl-sourced request. Is this a safe assumption to rely on? Are >> there plans to document a reliable way to ensure servlet security in a >> task queue environment? Is there something else that I'm missing? >> >> Also, in an ideal world, it'd be nice if request.isUserInRole("admin") >> would return true at the appropriate times. >> >> Thanks, >> >> -Patrick >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<google-appengine%[email protected]> >> . >> For more options, visit this group at >> http://groups.google.com/group/google-appengine?hl=en. >> >> > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-appengine%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > -- Patrick H. Twohig. Namazu Studios P.O. Box 34161 San Diego, CA 92163-4161 Office: 619.862.2890 x100 Cell: 619.453.5075 Twitter: @svm_invictvs IRC: [email protected] ##java, #android-dev, #iphonedev, #appengine http://www.namazustudios.com/ This communication, and any attachments, shall be considered confidential and proprietary information of Namazu Studios LLC. This message, and attachments, are intended for the listed recipients only. If you are not one of the intended recipients, please destroy all copies of this communication. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
