I want that random internet traffic can't access it. I'm using cloud
endpoints v2 for java. My problem is that anyone can access these endpoints
method through API Explorer or from directly URL someone know. I want to
protect my endpoints. I read documentation how to restrict Whole API or
some methods by using API KEY.
https://cloud.google.com/endpoints/docs/frameworks/java/restricting-api-access-with-api-keys-frameworks
Here is what I'm trying.
@Api(
name = "zeem",
version = "v1"
)
public class Account {
@ApiMethod(name = "getRegistration", path = "getRegistration",
apiKeyRequired = AnnotationBoolean.TRUE)
public Registered getRegistration(@Named("phone") Long phone){
// code ....
}
I can run this method without any API key from API Explorer and it is
working successfully.
Even I try it to access this method directly from url its also working.
Successfully returning the correct data.
I'm adding API management Here how openapi.json look like for this function.
"/zeem/v1/getRegistration": {
"get": {
"operationId": "ZeemGetRegistration",
"parameters": [
{
"name": "phone",
"in": "query",
"required": true,
"type": "integer",
"format": "int64"
}
],
"responses": {
"200": {
"description": "A successful response",
"schema": {
"$ref": "#/definitions/Registered"
}
}
},
"security": [
{
"api_key": [ ]
}
]
}
},
See the below image how Endpoint services look like in GCP console.
[image: endpoint.PNG] <about:invalid#zClosurez>
Here is my Web.xml.
<?xml version="1.0" encoding="utf-8"?>
<!-- [START_EXCLUDE] -->
<!--
Copyright 2016 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
<https://www.google.com/url?q=http://www.apache.org/licenses/LICENSE-2.0&sa=D&usg=AFQjCNHsvupiWzDOb7O6KJ99QULsmOON3g>
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- [END_EXCLUDE] -->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee
<https://www.google.com/url?q=http://xmlns.jcp.org/xml/ns/javaee&sa=D&usg=AFQjCNHGvubxto4lIQbl5Vv94MYt3axGUQ>
"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
<https://www.google.com/url?q=http://www.w3.org/2001/XMLSchema-instance&sa=D&usg=AFQjCNFsclzLqabE3vsjL8lude_KsXKzAw>
"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
<https://www.google.com/url?q=http://xmlns.jcp.org/xml/ns/javaee&sa=D&usg=AFQjCNHGvubxto4lIQbl5Vv94MYt3axGUQ>
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd
<https://www.google.com/url?q=http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd&sa=D&usg=AFQjCNHrZVe6uAzeVVw8gz2MF72CxhjY2Q>
"
version="3.1">
<welcome-file-list>
<welcome-file>welcome</welcome-file>
</welcome-file-list>
<!-- OBJECTIFY -->
<filter>
<filter-name>ObjectifyFilter</filter-name>
<filter-class>com.googlecode.objectify.ObjectifyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ObjectifyFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- ENDPOINTS -->
<servlet>
<servlet-name>EndpointsServlet</servlet-name>
<servlet-class>com.google.api.server.spi.EndpointsServlet
</servlet-class>
<init-param>
<param-name>services</param-name>
<param-value>
org.octabyte.zeem.API.Account,
org.octabyte.zeem.API.CommentApi,
org.octabyte.zeem.API.FriendApi,
org.octabyte.zeem.API.ListApi,
org.octabyte.zeem.API.PostApi,
org.octabyte.zeem.API.SearchApi,
org.octabyte.zeem.API.UserApi,
org.octabyte.zeem.API.StoryApi
</param-value>
</init-param>
</servlet>
<!-- Route API method requests to the backend. -->
<servlet-mapping>
<servlet-name>EndpointsServlet</servlet-name>
<url-pattern>/_ah/api/*</url-pattern>
</servlet-mapping>
<!-- Security -->
<security-role>
<role-name>admin</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
</web-app>
And Here is how my pom.xml look like.
<!-- Copyright 2016 Google Inc. Licensed under the Apache License, Version
2.0 (the "License"); you may not use this file except in compliance
with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
<https://www.google.com/url?q=http://www.apache.org/licenses/LICENSE-2.0&sa=D&usg=AFQjCNHsvupiWzDOb7O6KJ99QULsmOON3g>
Unless required by applicable law or agreed to in writing, software
distributed
under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES
OR CONDITIONS OF ANY KIND, either express or implied. See the
License for
the specific language governing permissions and limitations under
the License. -->
<project>
<modelVersion>4.0.0</modelVersion>
<packaging>war</packaging>
<version>1.0-SNAPSHOT</version>
<groupId>com.azeem.endpoint</groupId>
<artifactId>endpoint</artifactId>
<!-- [START properties] -->
<properties>
<!-- OBJECTIFY -->
<objectify.version>5.1.5</objectify.version>
<guava.version>19.0</guava.version>
<!-- ENDPOINTS -->
<endpoints.framework.version>2.0.8
</endpoints.framework.version>
<endpoints.management.version>1.0.4
</endpoints.management.version>
<endpoints.project.id
<https://www.google.com/url?q=http://endpoints.project.id&sa=D&usg=AFQjCNHVmh5jRdvKZFAnw5ZTJHRMOkYtEg>
>my-profect-id</endpoints.project.id
<https://www.google.com/url?q=http://endpoints.project.id&sa=D&usg=AFQjCNHVmh5jRdvKZFAnw5ZTJHRMOkYtEg>
>
<maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.source>1.8</maven.compiler.source>
</properties>
<!-- [END properties] -->
<dependencies>
<!-- Firebase push Notification -->
<dependency>
<groupId>com.google.firebase</groupId>
<artifactId>firebase-admin</artifactId>
<version>6.2.0</version>
</dependency>
<!-- End Firebase push Notification-->
<!-- GEO HASH -->
<dependency>
<groupId>de.alpharogroup</groupId>
<artifactId>jgeohash-core</artifactId>
<version>2.4.0</version>
</dependency>
<!-- END GEO HASH -->
<!-- [START Objectify_Dependencies] -->
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>${guava.version}</version>
</dependency>
<dependency>
<groupId>com.googlecode.objectify</groupId>
<artifactId>objectify</artifactId>
<version>${objectify.version}</version>
</dependency>
<!-- [END Objectify_Dependencies] -->
<!-- ENDPOINTS -->
<dependency>
<groupId>com.google.endpoints</groupId>
<artifactId>endpoints-framework</artifactId>
<version>${endpoints.framework.version}</version>
</dependency>
<dependency>
<groupId>com.google.endpoints</groupId>
<artifactId>
endpoints-management-control-appengine-all</artifactId>
<version>1.0.5</version>
</dependency>
<!-- Parent POM defines ${appengine.sdk.version} (updates
frequently). -->
<dependency>
<groupId>com.google.appengine</groupId>
<artifactId>appengine-api-1.0-sdk</artifactId>
<version>1.9.57</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<type>jar</type>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>jstl</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>com.google.api-client</groupId>
<artifactId>google-api-client-appengine</artifactId>
<version>1.23.0</version>
</dependency>
</dependencies>
<build>
<!-- for hot reload of the web application -->
<outputDirectory>
${project.build.directory}/${project.build.finalName}/WEB-INF/classes
</outputDirectory>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>3.0.0</version>
<configuration>
<webResources>
<!-- in order to
interpolate version from pom into appengine-web.xml -->
<resource>
<directory>
${basedir}/src/main/webapp/WEB-INF</directory>
<filtering>true
</filtering>
<targetPath>WEB-INF
</targetPath>
</resource>
</webResources>
</configuration>
</plugin>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>appengine-maven-plugin
</artifactId>
<version>1.3.1</version>
<configuration>
<deploy.promote>true
</deploy.promote>
<deploy.stopPreviousVersion>true
</deploy.stopPreviousVersion>
</configuration>
</plugin>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>endpoints-framework-maven-plugin
</artifactId>
<version>1.0.2</version>
<configuration>
<!-- plugin configuration -->
<hostname>${endpoints.project.id
<https://www.google.com/url?q=http://endpoints.project.id&sa=D&usg=AFQjCNHVmh5jRdvKZFAnw5ZTJHRMOkYtEg>
}.appspot.com
<https://www.google.com/url?q=http://appspot.com&sa=D&usg=AFQjCNErPo0F0Uf1LXFg60Rkv7gV_259-g>
</hostname>
</configuration>
</plugin>
</plugins>
</build>
</project>
Can you please let me know what I'm missing. Because I can access endpoint
methods without any API key.
I also posted a question on Stackoverflow right here
https://stackoverflow.com/questions/52005671/restricting-my-endpoints-with-api-key-in-java
<https://www.google.com/url?q=https://stackoverflow.com/questions/52005671/restricting-my-endpoints-with-api-key-in-java&sa=D&usg=AFQjCNGW0lZTE6G5jZHyXuo6Uv7ihNKjtw>
--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-appengine/3001f19c-7d64-41b5-8d36-9c75a3b76e09%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
