>From what I can tell, it doesn't seem to do anything with the user principal in the case where an unauthenticated servlet fires off a task queue request.
The task queue docs indicate that requests from the task queue will be executed with admin rights, but I can't seem to find any way to ensure that this is the case from code. Thanks, -Patrick On Feb 1, 12:22 pm, Patrick Twohig <[email protected]> wrote: > I believe that the App Engine injects the pertinent information from the > Users service. For instance, when you call > HttpServletRequest.getUserPrinicpal(), you're getting values injected by the > UsersService. > > > > > > On Mon, Feb 1, 2010 at 11:02 AM, Eli Jones <[email protected]> wrote: > > If you have a compelling reason for really locking down the task queue url > > (and Require Admin login isn't enough), you could create a mechanism that > > creates a task name for each queued task.. and the task verifies that its > > name is "correct". > > > You could have the task use the X-AppEngine-TaskName header to check its > > name.. > > > So.. when you add a task to the queue.. you do something like this: > > > taskName = getUniqueTaskName() > > nameHash = getHash(taskName) > > > taskqueue.add(url = '/myTaskQueue', countdown = 0, > > name = taskName, > > params = {'nameHash' : nameHash}) > > > and.. in the first part of the /myTaskQueue code.. you could have it verify > > that the 'nameHash' param is equal to getHash() of the TaskName you grab > > from the header.. > > > On Sat, Jan 30, 2010 at 4:07 PM, Patrick Linskey <[email protected]>wrote: > > >> Hi, > > >> I'd like to programmatically ensure that my task queue servlets are > >> only invoked via the task queue. I've got a security constraint in my > >> web.xml, but I'd like to also check in code to avoid any potential mis- > >> configuration in the future. > > >> Is there any supported means to do such a check? > > >> I tried looking at the contents of the HttpServletRequest (isUserInRole > >> (), getAuthType(), getUserPrincipal(), getRemoteName()), to no avail. > >> I also tried UserServiceFactory.getUserService().isAdmin(), but > >> received an exception informing me that no user was logged in. > > >> I can see that there are a number of task queue-specific HTTP headers. > >> Currently, I'm checking that X-AppEngine-TaskRetryCount is present, > >> and if so, assuming that the request has come from the task queue and > >> that it's therefore safe to process. Empirically, it looks like GAE > >> strips out the X-AppEngine-TaskRetryCount header when I specify it in > >> a curl-sourced request. Is this a safe assumption to rely on? Are > >> there plans to document a reliable way to ensure servlet security in a > >> task queue environment? Is there something else that I'm missing? > > >> Also, in an ideal world, it'd be nice if request.isUserInRole("admin") > >> would return true at the appropriate times. > > >> Thanks, > > >> -Patrick > > >> -- > >> You received this message because you are subscribed to the Google Groups > >> "Google App Engine" group. > >> To post to this group, send email to [email protected]. > >> To unsubscribe from this group, send email to > >> [email protected]<google-appengine%2Bunsubscrib > >> [email protected]> > >> . > >> For more options, visit this group at > >>http://groups.google.com/group/google-appengine?hl=en. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Google App Engine" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<google-appengine%2Bunsubscrib > > [email protected]> > > . > > For more options, visit this group at > >http://groups.google.com/group/google-appengine?hl=en. > > -- > Patrick H. Twohig. > > Namazu Studios > P.O. Box 34161 > San Diego, CA 92163-4161 > > Office: 619.862.2890 x100 > Cell: 619.453.5075 > Twitter: @svm_invictvs > IRC: [email protected] ##java, #android-dev, #iphonedev, > #appengine > > http://www.namazustudios.com/ > > This communication, and any attachments, shall be considered confidential > and proprietary information of Namazu Studios LLC. This message, and > attachments, are intended for the listed recipients only. If you are not > one of the intended recipients, please destroy all copies of this > communication. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
