I have a legacy GAE java project that uses the standard java sessions (with the default GAE support) to store the user ID following a custom authentication flow that involves another 3rd party.
I was looking to move from using raw servlets to Cloud Endpoints while keeping the current authentication flows, but was struggling to find a way to access the session from the API service class given all cookies are stripped from the request. Looks like this question is asked a lot but without a clear answer. Finally I was able to get it to work by specifying "auth = @ApiAuth(allowCookieAuth = AnnotationBoolean.TRUE)" in the @API deceleration. My question is regarding potential flaws in this approach as I haven't seen any other example following it. Moreover the documentation <https://cloud.google.com/endpoints/docs/frameworks/legacy/v1/java/javadoc/com/google/api/server/spi/config/ApiAuth> says "be very cautious in enabling this setting, and make sure to require appropriate XSRF tokens to protect your API". Is there a better way to achieve what's I'm looking for? Any red flags I should be addressing? Thanks in advance. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/b88eef3e-e4f5-4058-b624-fb6ee31c11bc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
