1

I want to upgrade my Java App Engine Standard app to App Engine Flexible and I am wondering what is the best solution to secure certains URLs (e.g. /admin/*).

In Standard I used in web.xml to restrict access to certain paths to users from AIM (https://console.cloud.google.com/iam-admin/iam):

<security-constraint>
    <web-resource-collection>
        <web-resource-name>users</web-resource-name>
    <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

As mentioned in the upgrade notes:

The secure setting under handlers is now deprecated for the App Engine flexible environment.

What is the best solution to secure URLs with user and roles from AIM, so with permissions I already defined there?

Nico Kanitz
  • 53
  • 6

3 Answers3

0

I think Cloud Identity-Aware Proxy (IAP) [1] would be a good solution for you:

Cloud Identity-Aware Proxy (Cloud IAP) lets you manage access to applications running in App Engine standard environment, App Engine flexible environment, Compute Engine, and Kubernetes Engine. Cloud IAP establishes a central authorization layer for applications accessed by HTTPS, so you can adopt an application-level access control model instead of using network-level firewalls.

Check this page to manage user access [2]:

This page describes how to manage individual or group access to Cloud Identity-Aware Proxy (Cloud IAP)-secured resources at the resource level.

Iñigo
  • 2,500
  • 2
  • 10
  • 20
  • Thanks for your idea. I already checked IAP, but as far as I understand you can only restrict access to a whole module, but not for certain paths, e.g. only "/admin". Or did I misunderstand the documentation? – Nico Kanitz Aug 26 '18 at 18:33
0

You can use projects.testIamPermissions to check the permissions the user currently has, and deny/allow access from there. For example:

test_iam_permissions_request_body = {

      "permissions": [
        "resourcemanager.projects.get"
      ]
}

will return resourcemanager.projects.get if the user has that permission, and empty if not. This way you can still use the users/roles defined in IAM to allow access.

Stu
  • 148
  • 5
0

Unfortunately, this is no longer possible with just a configuration. As you can see in the documentation

"Note that because the Users service is not available, it is not possible to use app.yaml to make URLs accessible only by administrators. You will need to handle this logic within your application."

You will need to handle this with application code (check the authenticated user and then allow or deny him access).

Ying Li
  • 2,500
  • 2
  • 13
  • 37