stackoom
  简体   繁体   中英

Is this a safe way of handling access in Google App Engine?

 原文  2011-03-22 10:19:58       security/ google-app-engine/ login

Question

I want to give a few persons access to my google app. I can assume that they are using gmail, so is this a safe procedure?

I add their gmail to a database. I then extract their email like this and check if it is present in the database: 

UserService userService = UserServiceFactory.getUserService();
User user = userService.getCurrentUser();
String email = user.getEmail();
//check if email is in database

Of course I handle the case where they are not logged in, and I understand that my app could be vulnerable in other parts of my code. But is this part safe?

Cheers,

2 answers

solution1
 2 ACCPTED  2011-03-22 13:33:42

Use user.getUserId() instead of getEmail(). Users can change their email addresses but the UserIDs remain the same.

solution2
 1  2011-03-23 00:55:11

Yes, this is fine - you can trust the email address returned by the UserService to be accurate - only the owner of that account can authenticate and return that value. As Fabrizio says, if you can you should store the user ID instead of the email, so that you are robust against your users changing their email address.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Restrict Google App Engine Endpoints API access Google App Engine: Is it safe to reveal a user's user_id publicly Google Cloud App Engine Website - unable to access on VPN Restricting access to some parts of a site. Google App Engine webapp Google App Engine good way to send and store passwords securing access to an app engine service Google app engine bot attack? Accessing URL on google app engine Google App Engine - JBoss authentication Is ssl for google app engine free?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM