google app engine restful web service authentication

Question

I have created a simple Google App Engine web application with Spring MVC and JSP. This app is configured so that only admin users allow to access.

<security-constraint>
   <web-resource-collection>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
       <role-name>admin</role-name>
   </auth-constraint>
   <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
</security-constraint>

It also contains several restful web service methods defined in a web controller. Clients for those methods could be a java app with Spring Rest Template or a Web Based Client.

Since restful web service is stateless, how do I make every http request sent from client authenticated to GAE.

The problem I am facing right now is the returned http response for every request contains google login page content.

Answer 1

Google provides a framework to do such with its Google Cloud Endpoints. In particular you should check the section regarding Using auth with endpoints.

If you have requirements where GCEs don't fit (and I see you're using Spring) then Spring has a nice OAuth project that you can use to achieve your goals. Spring security OAuth

Note however that implementing OAuth can be a relatively intensive task and depending on your requirements and audience you may be able to settle for easier and potentially less secure or standard solutions. Amazon's APIs also may give you ideas how to secure your own API.

As an example of "other" less recommended solutions you may just be able to set a header value with each request and check that it matches a list of accepted values on the server. Alternatively you could make your API stateful, use your login in the first call and then pass the session to your rest calls.

Your final solution will most likely depend on your exact requirements.