I am using web.xml, but I'm unsatisfied with the potential for a future mis-configuration to open up a hole to these servlets.
I'm reluctant to rely on an obscure rule tucked away in a shared separately-modifiable deployment descriptor to always be properly configured. > HttpHeaders are very easy to create and send with a http request. Agreed, but it's also very easy for the appserver to filter out certain headers (which it looks like Google is doing). If they're doing this intentionally, then the existence of a header can provide a meaningful security validation. -Patrick On Feb 1, 10:43 am, fhtino <[email protected]> wrote: > IMHO you're on a wrong way. Use web.xml contrains and no other > things. > HttpHeaders are very easy to create and send with a http request. > > fabrizio > > On Jan 30, 10:07 pm, Patrick Linskey <[email protected]> wrote: > > > > > ... > > a curl-sourced request. Is this a safe assumption to rely on? Are > > there plans to document a reliable way to ensure servlet security in a > > task queue environment? Is there something else that I'm missing? -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
