验证Google App Engine中的所有API端点

Question

I have the following Google Cloud Endpoints API, and I want it accesible only for authenticated users with certain role.

Few lines of code says much more than a thousand words:

import com.google.appengine.api.users.User;

@Api(
    name = "heroesApi",
    version = "v1",
    clientIds = {...},
    scopes = {...},
    audiences = {...},
    namespace = @ApiNamespace(
        ownerDomain = "my.domain.com",
        ownerName = "my.domain.com",
        packagePath=""
    )
)

public class HeroesApi {

    // THIS IS THE FUNCTION THAT I DON´T KNOW WHERE TO PUT
    /**
     * Validates that the user is logged in with a specific role
     * @param user
     * @throws UnauthorizedException
     * @throws ForbiddenException
     */
    private void validateUser(User user) throws UnauthorizedException, ForbiddenException {
        IUserController userController = ControllerFactory.get.userController();
        if (user == null) {
            throw new ForbiddenException("You must be logged in, my friend.");
        } else if (!userController.isLoggedAsSuperHero(user)) {
            throw new UnauthorizedException("You must be logged in as a Superhero.");
        }
    }


    // API METHODS

    @ApiMethod(path = "something", httpMethod = ApiMethod.HttpMethod.PUT)
    public DoneTask doSomething(Some thing, User superhero) throws UnauthorizedException, ForbiddenException {

        // this is what I want to avoid on each function
        this.validateUser(superhero);

        // Now I'll do something special
        IUserController userController = ControllerFactory.get.userController();
        return userController.doSome(thing);

    }

   // MORE GORGEOUS METHODS JUST FOR SUPERHEROES, SO I HAVE TO PERFORM THE VALIDATION...

}

I have though about adding a filter through the web.xml file for all request to /api/heroesApi/*, but the problem there is how to catch the Google Appengine Api User.

Isn´t there something provided by Google to do this?

Any suggestion to avoid the repeated call to validateUser(User) is welcome

Answer 1

Google Cloud Endpoints doesn't supper roles by default , so your application have to build role concept, and you have to write filter and get current user and check against the roles maintained in your end

To get current user in the filter, try this https://cloud.google.com/appengine/docs/java/oauth/

I haven't tested this , but am sure you can get the current user using the UserService Api in appengine as long as your system uses google account as authentication.