使用OpenID在应用引擎中保护remote_api [英] Secure remote_api in app engine with OpenID

问题描述

我之前曾问过问题，这个问题是关于在openID中使用app引擎的remote_api，答案运作良好，既安全又不安全。然而，不久之后，应用程序引擎中的某些内容发生了变化，解决方案不再安全运行 - 即以下内容：

  remote_api_stub .ConfigureRemoteDatastore（app_id = app_id，path ='/ remote_api'，auth_func = auth_func，servername = host，secure = True）
  

停止工作（总是返回302），并且我需要移除安全参数才能使其工作。

发布1.3.5 SDK 承诺'可以发送远程API命令通过HTTPS或HTTP'，这让我感到困惑，因为我的印象是，提供'secure = True'的论据已经给我这个了，它基于 this讨论。

我的怀疑是，这个功能的发布导致'secure'参数停止工作。所以我的问题的第一部分 - 是我在1.3.5发布之前通过使用'secure = True'参数安全地运行remote_api命令？

一次cookie hack停止安全工作，我试用了Nick Johnson在同一个问题中列出的解决方案，但同时我也无法提供'secure = True'，获得相同的302响应。

使用openID安全地运行remote_api需要做什么？ 1.3.5是否包含新的功能，以及如何使用它们？欢呼，

Colin

解决方案

b
$ b

http：// code.google.com/intl/zh-CN/appengine/articles/openid.html

警告：当时如果您的应用程序使用HTTPS以安全模式运行，则不支持OpenID。

关于 在1.3.7版本的最新版本中

  def ConfigureRemoteDatastore（app_id，
 path，
 auth_func， 
 servername =无，
 rpc_server_factory = appengine_rpc.HttpRpcServer，
 rtok =无，
 secure = False）：
是否需要进行必要的设置以允许轻松远程访问AppEngine数据存储。 
 
必须提供servername或app_id不能为None。如果app_id 
为None且提供了服务器名称，则此函数将向服务器发送请求
以检索app_id。 
 
参数：
 app_id：app.yaml中声明的app的app_id。 
 path：应用程序
的remote_api处理程序的路径（例如'/ remote_api'）。 
 auth_func：不带参数并返回
（用户名，密码）元组的函数。如果您的应用程序
需要身份验证才能访问remote_api处理程序（应该！）
，并且您尚未拥有有效的身份验证cookie，则会调用此方法。 
 servername：您的应用程序所在的主机名。默认为
< app_id> .appspot.com。 
 rpc_server_factory：为数据存储构建rpc服务器的工厂。 
 rtok：通过app_id查找发送的验证令牌。如果没有，则使用随机的
令牌。 
 secure：与服务器通信时使用SSL。 
  

所以，你用新的sdk试过了吗？

I previously asked a question about using app engine's remote_api with openID, and the answer worked well, both securely and insecurely. At some point soon after, however, something in app engine changed, and the solution no longer worked securely - i.e. the following

remote_api_stub.ConfigureRemoteDatastore(app_id=app_id, path='/remote_api', auth_func=auth_func, servername=host, secure=True)

stopped working (always returning 302), and I needed to remove the secure argument to get it to work.

The release of the 1.3.5 SDK promised 'Remote API commands can be sent over HTTPS or HTTP', which confused me, as I was under the impression that providing the 'secure=True' argument had been giving me this already, based on this discussion.

My suspicion is that it was the release of this feature that caused the 'secure' argument to stop working. So the first part of my question - was I actually running remote_api commands securely by using the 'secure=True' argument, prior to the release of 1.3.5?

Once the cookie hack stopped working securely, I tried out Nick Johnson's solution listed in the same question, but with this also, I could not supply 'secure=True', getting the same 302 response.

What do I need to do to run remote_api securely with openID? Does 1.3.5 include new capabilities around this, and how do I use them? Cheers,

Colin

解决方案

Regards this

http://code.google.com/intl/en-US/appengine/articles/openid.html

WARNING: at the time of this writing, OpenID is not supported if your app runs in secure mode using HTTPS.

Regards this in last revision in 1.3.7 release

def ConfigureRemoteDatastore(app_id,
                             path,
                             auth_func,
                             servername=None,
                             rpc_server_factory=appengine_rpc.HttpRpcServer,
                             rtok=None,
                             secure=False):
  """Does necessary setup to allow easy remote access to an AppEngine datastore.

  Either servername must be provided or app_id must not be None.  If app_id
  is None and a servername is provided, this function will send a request
  to the server to retrieve the app_id.

  Args:
    app_id: The app_id of your app, as declared in app.yaml.
    path: The path to the remote_api handler for your app
      (for example, '/remote_api').
    auth_func: A function that takes no arguments and returns a
      (username, password) tuple. This will be called if your application
      requires authentication to access the remote_api handler (it should!)
      and you do not already have a valid auth cookie.
    servername: The hostname your app is deployed on. Defaults to
      <app_id>.appspot.com.
    rpc_server_factory: A factory to construct the rpc server for the datastore.
    rtok: The validation token to sent with app_id lookups. If None, a random
      token is used.
    secure: Use SSL when communicating with the server.

So, did you try it with new sdk?

这篇关于使用OpenID在应用引擎中保护remote_api的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！