StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POHow to protect expired session clean-up with a security constraint?
text
Body
copied!<p><strong>The protection attempt</strong></p> <p>The URL</p> <pre><code>http://[GAE app URL]/_ah/sessioncleanup?clear </code></pre> <p>clears 100 expired sessions from the GAE datastore (so it seems).</p> <p>I wanted to protect this URL so that it can be called from within the app using an entry in <code>cron.xml</code> like</p> <pre><code><cronentries> [...] <cron> <url>/_ah/sessioncleanup?clear</url> <description>Clean 100 expired sessions up</description> <schedule>[Schedule]</schedule> </cron> </cronentries> </code></pre> <p>but not from just any user following the URL of the form given above.</p> <p>So I added the following code to <code>web.xml</code>:</p> <pre><code><web-app> [...] <security-constraint> <web-resource-collection> <web-resource-name>session-clean-up</web-resource-name> <url-pattern>/_ah/sessioncleanup</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> </web-app> </code></pre> <p>I omitted adding the following to <code>web.xml</code> since the session clean-up takes place using a manual URL invocation without it:</p> <pre><code><web-app> [...] <servlet> <servlet-name>_ah_sessioncleanup</servlet-name> <servlet-class>com.google.apphosting.utils.servlet.SessionCleanupServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>_ah_sessioncleanup</servlet-name> <url-pattern>/_ah/sessioncleanup</url;-pattern> </servlet-mapping> </web-app> </code></pre> <p><strong>Result</strong></p> <p>Sadly, after deployment of this code into production, I find that no protection has been given by the addition of the <code><security-constraint></code> above to either</p> <pre><code>http://[GAE app URL]/_ah/sessioncleanup?clear </code></pre> <p>or</p> <pre><code>http://[GAE app URL]/_ah/sessioncleanup </code></pre> <p><strong>Background information</strong></p> <p>I based my code above on the posting by a Googler as referenced in <a href="https://code.google.com/p/googleappengine/issues/detail?id=10047&can=4&sort=priority&colspec=ID%20Type%20Component%20Status%20Stars%20Summary%20Language%20Priority%20Owner%20Log" rel="nofollow">GAE issue 10047 (Request to document or publish code for SessionCleanupServlet)</a>.</p> <p><strong>My question</strong></p> <p>Does anyone know how I can solve my problem?</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload