限制访问Google App引擎端点方法

I have a question about the security of Google App Engine endpoints. I have a data inside datastore which I uploaded and that data should be only read from Android app.

我对Google App Engine端点的安全性有疑问。我在数据存储区中有一个数据，我上传的数据应该只能从Android应用程序中读取。

I retrieve all the data like this:

我检索所有这样的数据：

Personendpoint.Builder endpointBuilder = new Personendpoint.Builder(
                AndroidHttp.newCompatibleTransport(), new JacksonFactory(), null);
        endpointBuilder = CloudEndpointUtils.updateBuilder(endpointBuilder);
        CollectionResponsePerson result;

        Personendpoint endpoint = endpointBuilder.build();


        try {
            result = endpoint.listPerson().execute();
        } catch (IOException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
            result = null;
        }

Inside my PersonEndpoint I have this:

在我的PersonEndpoint里面我有这个：

@Api(name = "personendpoint", namespace = @ApiNamespace(ownerDomain = "test.com", ownerName = "test.com", packagePath = "personmanagement"))
public class PersonEndpoint {

    /**
     * This method lists all the entities inserted in datastore.
     * It uses HTTP GET method and paging support.
     *
     * @return A CollectionResponse class containing the list of all entities
     * persisted and a cursor to the next page.
     */
    @SuppressWarnings({ "unchecked", "unused" })
    @ApiMethod(name = "listPerson")
    public CollectionResponse<Person> listPerson(@Nullable @Named("cursor") String cursorString,
            @Nullable @Named("limit") Integer limit) 
    {
     ...
    }

Similar to this there are also methods insertPerson, removePerson which are dangerous in this case. Attacker can easily trigger those methods and delete data from my datastore. How can it be protected?

与此类似，还有insertPerson，removePerson方法，在这种情况下是危险的。攻击者可以轻松触发这些方法并从我的数据存储中删除数据。怎么保护？

I want to allow user only to get the data from the datastore. Thank you.

我想只允许用户从数据存储区获取数据。谢谢。

2 个解决方案

#1

I recommend you secure your endpoints with authentication using OAuth. Besides that, is your responsibility to check roles and permissions of the authenticated user and filter the data he will be managing as any other web app.

我建议您使用OAuth通过身份验证来保护端点。除此之外，您有责任检查经过身份验证的用户的角色和权限，并过滤他将作为任何其他Web应用程序管理的数据。

#2

You can easily enforce security constraints in your web.xml.

您可以在web.xml中轻松实施安全性约束。

<security-constraint>
    <web-resource-collection>
        <web-resource-name>personmanagement</web-resource-name>
        <url-pattern>/personmanagement/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

This will force users to be authenticated with their Google account to access the URL : <role-name>*</role-name>. You can use <role-name>admin</role-name> if you want only app administrators to be able to access the URL (you can add administrators in the cloud console).

这将强制用户通过其Google帐户进行身份验证，以访问以下网址： * 。如果您只希望应用程序管理员能够访问URL（您可以在云控制台中添加管理员），则可以使用 admin 。

See the docs : https://developers.google.com/appengine/docs/java/config/webxml?hl=fr#Security_and_Authentication

请参阅文档：https：//developers.google.com/appengine/docs/java/config/webxml？hl = fr #Security_and_Authentication

#1

#2