https only in google app engine

I am on a google app engine project now. In my application I have to allow only https protocol. And I have to restrict other pro开发者_如何学编程tocols. It should allow https only. I have added the below code in web.xml.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

But after deploying it works on both the protocols(http and https). How to restrict http?

It is possible to configure the individual handlers to require HTTPS in the app.yaml file in the WEB-INF folder as described here: Java Application Configuration Using app.yaml - Google App Engine.

You just have to add these two words to your app.yaml file under the appropriate url entry:
secure: always

For example:

- url: .*
  script: main.app
  secure: always

Then if a user tries to access the URL with HTTP she will be automatically redirected to HTTPS. Pretty cool.

If you want to stick with "web.xml" rather than using the "app.yaml" option (which will overwrite your web.xml & appengine-web.xml files at deploy time), you can add in:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>everything</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Reference: https://cloud.google.com/appengine/docs/java/config/webxml#Security_and_Authentication

Are you using your own domain? At present, GAE supports SSL for *.appspot.com domains only. They have been promising SSL support for non-appspot domains for some time now and we're all waiting for news on that front.

This is for future folks !!!

1. In java adding the code below in my web.xml file worked for me

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>HTTPS redirect</web-resource-name>
         <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
   </security-constraint>
   

2. For other project add secure: always under all urls in app.yaml file

Add this to your web.xml file

<security-constraint>
        <web-resource-collection>
            <web-resource-name>all</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>