Google App Engine: Secure Connections (https)
- GAE accepts both http and https connections from appspot.com URLs
- Can configure front end to accept or reject https
- application code DOES NOTHING (yeah!) except consumes the decrypted request and provides a response
that is encrypted by App Engine.
- the standard port
used by browsers for https:// URLs.
- .
- , and ignores the security
settings in the configuration. You can test these URLs during development using the
nonsecure equivalent URLs.
- Because HTTPS uses the domain name to validate the secure connection, requests to
versioned appspot.com URLs, such as https://3.latest.ae-book.appspot.com/, will
display a security warning in the browser saying that the domain does not match the
security certificate. You can accept the warning to bypass this check against imposters
(which guards against "man-in-the-middle" attacks) and continue loading the page.
GAE Java Project Security https settings for URL paths
- deployment descriptor to require secure connections
for certain URL paths.
- In the web.xml file, you declare a security constraint
for a URL path or set of URL paths as follows:
Example - paths /home/* will be needing https (i.e. http://puzzle.sci.csueatbay.edu/home/checkit.jsp)
<security-constraint>
<web-resource-collection>
<web-resource-name>home</web-resource-name>
<url-pattern>/home/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
NOTE: web-resource-name is not important but required
GAE Java Project turning off https (SSL) --default is on
- disable SSL in appengine-web.xml file if you do not want users accessing your app with HTTPS
<ssl-enabled>false</ssl-enabled>
|