I can't say whether it's exactly the same problem you're seeing but I couldn't get Vosao (cookie based)'s authentication work with cloud endpoints. The reason is that the way endpoints is implemented (in Java, at least), there's a servlet listening to Rest requests that internally posts RPC request to another servlet. This mechanism means that the cookie from the first request is passed on to the second request, but for subsequent requests the internal "socket" between the two servlet was already established with the first request. Therefore all subsequent requests are authenticated as if they were coming from the first user, a security nightmare. There might be away around it, for example avoiding Rest requests altogether and using RPC directly
On Friday, 21 February 2014 02:58:56 UTC+13, Brian Henry wrote: > > After posting that, I found a bug report with the same problem: > https://code.google.com/p/googleappengine/issues/detail?id=10100 > > I also figured there should be an annotation: > @ApiAuth(allowCookieAuth = AnnotationBoolean.TRUE) > > but it didn't make any difference when I tried it. > > Cookie is in the request header on the dev server but not on appspot. I > get the following headers: > Host > Accept > Accept-Language > Cache-Control > Content-Length > Content-Type > dnt > method > origin > originalMethod > Referer > User-Agent > X-Appengine-Peer > Accept-Charset > X-AppEngine-Country > X-AppEngine-Region > X-AppEngine-City > X-AppEngine-CityLatLong > > > > On Thursday, 20 February 2014 03:01:35 UTC, Vinny P wrote: >> >> On Mon, Feb 17, 2014 at 7:07 AM, Brian Henry <[email protected]> wrote: >> >>> Can anyone tell me how to allow cookies when using Cloud Endpoints with >>> Java? They're accessible when using the local dev server but once I deploy >>> to .appspot HttpServletRequest.getCookies() is null. >>> >> >> >> If you call HttpServletRequest.getHeaderNames(), do you see the cookie >> request headers listed? >> >> >> ----------------- >> -Vinny P >> Technology & Media Advisor >> Chicago, IL >> >> App Engine Code Samples: http://www.learntogoogleit.com >> >> -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-appengine. For more options, visit https://groups.google.com/groups/opt_out.
