0

I am running a java application on google app engine. I protected my admin servlets with a security constraint:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>tasks</web-resource-name>
        <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

Now I want to call one of these servlet from server side code. This seems to be not possible because of this security constraint. Is there a role preventing regular users from accessing this resources but prevents access to calls from server side code? Or is there another approach to my problem?

jan
  • 3,923
  • 9
  • 38
  • 78

1 Answers1

1

You can move the method that you need outside of a secure servlet. Then you can access it either through a secure servlet, or internally.

Andrei Volgin
  • 40,755
  • 6
  • 49
  • 58
  • Its a servlet generating a PDF with private data and I want to read it via an input stream to attach it to an email. So I do not want to move it out of the secure area. – jan Jan 07 '16 at 21:45
  • You can create a new class PDFUtility that will return this PDF file as bytes, stream - whatever works for you. You can call this utility from your secure servlet, or you can call this utility from your code elsewhere. If it's the same instance, there is no need to go through an HTTP request. And if you are trying to access GAE instance from a different server (e.g. GCE instance), than you can create two servlets calling the same utility. One servlet will be protected by security constraint, and another servlet protected by OAuth2 or any other method that you use. – Andrei Volgin Jan 07 '16 at 21:54
  • You are right. I actually don't need the servlet for internal call. I can just refactore that into an internal method. Thank you very much for the hint! – jan Jan 08 '16 at 10:00