https only in google app engine

Asked 20/3, 2011 at 10:45 Answered 11/10, 2018 at 7:25

google-app-engine https maven-gae-plugin

I am on a google app engine project now. In my application I have to allow only https protocol. And I have to restrict other protocols. It should allow https only. I have added the below code in web.xml.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

But after deploying it works on both the protocols(http and https). How to restrict http?

Delft answered 20/3, 2011 at 10:45 Comment(2)

Are you testing the same version of the app you deployed to? Have you tried removing the "<web-resource-name>"? – Willette 20/3, 2011 at 13:59

I am testing the same version I deployed. I have not tested by removing the web resource name.Let me try that now.Thanks. – Delft 20/3, 2011 at 14:7

It is possible to configure the individual handlers to require HTTPS in the app.yaml file in the WEB-INF folder as described here: Java Application Configuration Using app.yaml - Google App Engine.

You just have to add these two words to your app.yaml file under the appropriate url entry:
secure: always

For example:

- url: .*
  script: main.app
  secure: always

Then if a user tries to access the URL with HTTP she will be automatically redirected to HTTPS. Pretty cool.

Hilel answered 11/6, 2011 at 13:7 Comment(7)

It appears that SSL support for custom domains have been added for GAE now. developers.google.com/appengine/docs/ssl?hl=fr Thanks for the: secure: always part – Progressionist 6/6, 2013 at 18:24

Thanks for the comment. Removed that paragraph (as strike-through is not available here). – Hilel 8/6, 2013 at 12:33

can I run an App on GAE without SSL? – Crochet 23/6, 2015 at 8:58

Yes. That’s the default. – Hilel 23/6, 2015 at 16:26

How can I do this with nodejs? The url entry doesn't seem available in app.yaml. – Cycling 2/2, 2018 at 1:40

Would love to know how to do this using Ruby on Rails – Durham 31/3, 2018 at 12:59

in documentation you need to use: - url: ./*. cloud.google.com/appengine/docs/standard/nodejs/… – Woorali 22/3, 2022 at 15:18

If you want to stick with "web.xml" rather than using the "app.yaml" option (which will overwrite your web.xml & appengine-web.xml files at deploy time), you can add in:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>everything</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Reference: https://cloud.google.com/appengine/docs/java/config/webxml#Security_and_Authentication

Pastoral answered 15/10, 2014 at 23:41 Comment(0)

Are you using your own domain? At present, GAE supports SSL for *.appspot.com domains only. They have been promising SSL support for non-appspot domains for some time now and we're all waiting for news on that front.

Munro answered 20/3, 2011 at 14:8 Comment(1)

SSL for a custom domain is supported now support.google.com/a/answer/2644334?hl=en – Stickweed 4/2, 2015 at 19:40

This is for future folks !!!

In java adding the code below in my web.xml file worked for me

<security-constraint>
   <web-resource-collection>
      <web-resource-name>HTTPS redirect</web-resource-name>
      <url-pattern>/*</url-pattern>
   </web-resource-collection>
   <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
</security-constraint>

For other project add secure: always under all urls in app.yaml file

Tangerine answered 11/10, 2018 at 7:25 Comment(0)

Add this to your web.xml file

<security-constraint>
        <web-resource-collection>
            <web-resource-name>all</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

Brevity answered 3/5, 2017 at 11:36 Comment(0)

Recommended topics

Hot tags