How to protect a servlet from external users?

Question

I have tried to use security-constraint in web.xml. I gave permission to admin by using role. How to test whether the servlet is secured and be able to access only by the admin?

Answer 1

To test the servlet, you need at least two Google Accounts. One Google Account must be added as at least a Viewer on your Google App Engine Admin Console, the other Google Account must not be added. The Google Account that is not added in the Admin console should not be able to access any servlet where the role is defined as admin.

If for some reason the tests fail, you need to make sure you've followed all the steps in the documentation to secure the servlet and implement an authentication schema. Below outlines using Google OAuth and the UserService as an example.

Out of the box, Google App Engine gives you two roles to use within your application: User and Admin.

Admin users are defined as any user that is listed asany one of the three roles on the Google App Engine project, so if you want to grant someone admin access to your servlet, you could add them as a Viewer in the http://appengine.google.com panel.

The UserService class gives you access to the logged in user. You would need to use this to create a login URL for your user, log them in through Google using his or her Google account, redirect him or her to your application, and then use UserService.isUserAdmin() to determine if that user is indeed an admin user.

Using the Users Service describes in detail how to get started using the UserService class.

package guestbook;

import java.io.IOException;
import javax.servlet.http.*;
import com.google.appengine.api.users.User;
import com.google.appengine.api.users.UserService;
import com.google.appengine.api.users.UserServiceFactory;

public class GuestbookServlet extends HttpServlet {
    public void doGet(HttpServletRequest req, HttpServletResponse resp)
          throws IOException {
        UserService userService = UserServiceFactory.getUserService();
        User user = userService.getCurrentUser();

        if (user != null) {
            resp.setContentType("text/plain");
            if(userService.isUserAdmin()) {
                resp.getWriter().println("Hello, " + user.getNickname() + ", you are logged in as an admin");
            } else {
                resp.getWriter().println("Hello, " + user.getNickname());
            }
        } else {
            resp.sendRedirect(userService.createLoginURL(req.getRequestURI()));
        }
    }
}

The Google App Engine Users Java API Overview demonstrates how to handle logging in users on Google App Engine:

import java.io.IOException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.google.appengine.api.users.UserService;
import com.google.appengine.api.users.UserServiceFactory;

public class MyServlet extends HttpServlet {
    public void doGet(HttpServletRequest req, HttpServletResponse resp)
            throws IOException {
        UserService userService = UserServiceFactory.getUserService();

        String thisURL = req.getRequestURI();

        resp.setContentType("text/html");
        if (req.getUserPrincipal() != null) {
            resp.getWriter().println("<p>Hello, " +
                                 req.getUserPrincipal().getName() +
                                 "!  You can <a href=\"" +
                                 userService.createLogoutURL(thisURL) +
                                 "\">sign out</a>.</p>");
        } else {
            resp.getWriter().println("<p>Please <a href=\"" +
                                 userService.createLoginURL(thisURL) +
                                 "\">sign in</a>.</p>");
        } 
    }
}

Securing the Servlet:

If you have pages that the user should not be able to access unless signed in, you can establish a security constraint for those pages in the deployment descriptor (the web.xml

The Deployment Descriptor: Security and Authentication page demonstrates how to modify your web.xml so that only admins can access certain servlets.

<security-constraint>
    <web-resource-collection>
        <url-pattern>/profile/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

In this example, the servlet /profile is accessible by users with any role, indicated by * , and the /admin servlet is only accessible by users with the role admin .

While Google App Engine Java does have built-in security, the roles are somewhat limited. If you need finer grain control over the roles of your users, see Luke Taylor's Post on Spring Security in Google App Engine . The example is old, but if you turn your logging level up to TRACE, you can make it work on the latest versions of Spring and the latest GAE SDK.