问题
I'm using the following security constraint in the deployment descriptor of my GWT app, which is deployed on Google App Engine (GAE) for Java:
<security-constraint>
<web-resource-collection>
<url-pattern>ds/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
My app is using Google Accounts for authentication.
It works perfectly fine in the hosted mode (Eclipse), but when I deploy the app to GAE, the constraint doesn't work. For example, in the hosted mode, when I try to access a resource in the ds folder, it redirects me to the login page. After login, it gives access to admin users only. But in the deployed app, anyone can access the resource without any authentication / authorization.
I haven't had a chance to test this on the "default" version of the app (http://myappid.appspot.com), but it surely doesn't work on other versions (like http://5.myappid.appspot.com).
Am I missing something obvious here?
Thanks.
回答1:
I'd have thought you needed /ds/* . Your example doesn't have a preceding slash.
来源:https://stackoverflow.com/questions/5872974/google-app-engine-security-constraint-is-not-working