Google App Engine: Secure Connections (https)

• GAE accepts both http and https connections from appspot.com URLs
• Can configure front end to accept or reject https
• application code DOES NOTHING (yeah!) except consumes the decrypted request and provides a response
  that is encrypted by App Engine.
• https on port 443, the standard port used by browsers for https:// URLs.
  • 
    
    
• http on port 80.

• The development server does not support secure connections, and ignores the security settings in the configuration. You can test these URLs during development using the nonsecure equivalent URLs.
  • Because HTTPS uses the domain name to validate the secure connection, requests to
    versioned appspot.com URLs, such as https://3.latest.ae-book.appspot.com/, will
    display a security warning in the browser saying that the domain does not match the
    security certificate. You can accept the warning to bypass this check against imposters
    (which guards against "man-in-the-middle" attacks) and continue loading the page.

GAE Java Project Security https settings for URL paths

• deployment descriptor to require secure connections for certain URL paths.
• In the web.xml file, you declare a security constraint for a URL path or set of URL paths as follows:

Example - paths /home/* will be needing https (i.e. http://puzzle.sci.csueatbay.edu/home/checkit.jsp)
<security-constraint>
      <web-resource-collection>
           <web-resource-name>home</web-resource-name>
           <url-pattern>/home/*</url-pattern>
     </web-resource-collection>
                                               
     <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
</security-constraint>

NOTE: web-resource-name is not important but required

GAE Java Project turning off https (SSL) --default is on

• disable SSL in appengine-web.xml file if you do not want users accessing your app with HTTPS
  
  <ssl-enabled>false</ssl-enabled>