GAE Prevent File Access

Question

I have a GAE project I'm about to deploy. Everything is going well except I seemingly can't protect certain files. In particular I've uploaded my .p12 key file to use with APNS. I had it in WEB-INF originally but due to a " java.io.IOException: DerInputStream.getLength(): lengthTag=111, too big." I've moved the file outside of this directory. The issue I'm having now is that I'm able to download the .p12 file. Working on the local dev server I have the following permissions and therefore blocking access to the file. However, once I push this out to production I'm still able to download the file. What might it be about the GAE production environment that is not enforcing this security constraint? Thank you for any help.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>certificates</web-resource-name>
        <url-pattern>/certificates/*</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

Answer 1

Looking into the documents, you need to have a role specified inside of "auth-constraint", as shown here

So something like

<security-constraint>
    <web-resource-collection>
        <web-resource-name>certificates</web-resource-name>
        <url-pattern>/certificates/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

should do the trick.