CS6320:  SW Engineering of Web Based Systems

 

Google App Engine: Secure Connections (https)

architecture

  • GAE accepts both http and https connections from appspot.com URLs
  • Can configure front end to accept or reject https
  • application code DOES NOTHING (yeah!) except consumes the decrypted request and provides a response
    that is encrypted by App Engine.
  • https on port 443, the standard port used by browsers for https:// URLs.


  • http on port 80.
  • The development server does not support secure connections, and ignores the security settings in the configuration. You can test these URLs during development using the nonsecure equivalent URLs.
    • Because HTTPS uses the domain name to validate the secure connection, requests to
      versioned appspot.com URLs, such as https://3.latest.ae-book.appspot.com/, will
      display a security warning in the browser saying that the domain does not match the
      security certificate. You can accept the warning to bypass this check against imposters
      (which guards against "man-in-the-middle" attacks) and continue loading the page.

 

GAE Java Project Security https settings for URL paths

  • deployment descriptor to require secure connections for certain URL paths.
  • In the web.xml file, you declare a security constraint for a URL path or set of URL paths as follows:

Example - paths /home/* will be needing https (i.e. http://puzzle.sci.csueatbay.edu/home/checkit.jsp)
<security-constraint>
      <web-resource-collection>
           <web-resource-name>home</web-resource-name>
           <url-pattern>/home/*</url-pattern>
     </web-resource-collection>
                                               

     <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
</security-constraint>

NOTE: web-resource-name is not important but required

 

GAE Java Project turning off https (SSL) --default is on

 

  • disable SSL in appengine-web.xml file if you do not want users accessing your app with HTTPS

    <ssl-enabled>false</ssl-enabled>
© Lynne Grewe