I've build a google app engine, to use it as a database for my android app, so I don't want anyone to access my web application after I w开发者_如何学Pythonill upload it. How can I block it? I thought on using a password as parameter, and if the password doesn't match to show an error page, but this is very risky and not sufficient. Is there another way?
Thanks!
Just add a security constraint to web.xml e.g.
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
You will need to define some authentication mechanism for your client app though so it gets through e.g. use SSL and send login values that way from the Android app. In that case make sure you open the URL pattern used by your app up via web.xml.
Presumably you want users of your Android app to be able to access your app, but nobody else. This isn't possible: anything your Android app can generate can be generated independently without your app.
At best, you can embed a secret token in your app and use it to generate signatures for requests, but it will not be difficult for someone to extract that secret and use it directly.
精彩评论