I have a java 8 project with the Cloud Endpoints Framework configured.
I followed the documentation here: https://cloud.google.com/endpoints/docs/frameworks/java/get-started-frameworks-java
I try to secure the API with an API Key. I followed the documentation here : https://cloud.google.com/endpoints/docs/frameworks/java/restricting-api-access-with-api-keys-frameworks
The problem is that I can always access the endpoints, whether I set the API Key or not.
Here is the API:
@Api(
name = "myApi",
title = "My API",
version = "v1",
description = "My API description",
apiKeyRequired = AnnotationBoolean.TRUE
)
public class MyApiEndpoint {
@ApiMethod(httpMethod = GET, path = "list", apiKeyRequired = AnnotationBoolean.TRUE)
public ApiEntityList list() throws Exception {
return new ApiEntityList();
}
}
Here is the web.xml:
<?xml version="1.0" encoding="utf-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1">
<filter>
<filter-name>endpoints-api-controller</filter-name>
<filter-class>com.google.api.control.extensions.appengine.GoogleAppEngineControlFilter</filter-class>
<init-param>
<param-name>endpoints.projectId</param-name>
<param-value>${app.deploy.project}</param-value>
</init-param>
<init-param>
<param-name>endpoints.serviceName</param-name>
<param-value>${app.deploy.project}.appspot.com</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>endpoints-api-controller</filter-name>
<servlet-name>EndpointsServlet</servlet-name>
</filter-mapping>
<filter>
<filter-name>endpoints-api-configuration</filter-name>
<filter-class>com.google.api.control.ServiceManagementConfigFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>endpoints-api-configuration</filter-name>
<servlet-name>EndpointsServlet</servlet-name>
</filter-mapping>
<servlet>
<servlet-name>EndpointsServlet</servlet-name>
<servlet-class>com.google.api.server.spi.EndpointsServlet</servlet-class>
<init-param>
<param-name>services</param-name>
<param-value>com.myproject.MyApiEndpoint</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>EndpointsServlet</servlet-name>
<url-pattern>/_ah/api/*</url-pattern>
</servlet-mapping>
The appengine-web.xml:
<?xml version="1.0" encoding="utf-8"?>
<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
<runtime>java8</runtime>
<threadsafe>true</threadsafe>
<service>core</service>
<url-stream-handler>urlfetch</url-stream-handler>
<system-properties>
<property name="java.util.logging.config.file" value="WEB-INF/logging.properties"/>
</system-properties>
<env-variables>
<env-var name="ENDPOINTS_SERVICE_NAME" value="${app.deploy.project}.appspot.com" />
</env-variables>
</appengine-web-app>
I created the API Key as a new credential in the Google Cloud Platform project, without any restriction.
And I can see the lines below in the openapi.json file deployed on GCP:
"/myApi/v1/list": {
"get": {
"operationId": "MyApiList",
"parameters": [ ],
"responses": {
"200": {
"description": "A successful response",
"schema": {
"$ref": "#/definitions/ApiEntityList"
}
}
},
"security": [
{
"api_key": [ ]
}
]
}
},
"securityDefinitions": {
"api_key": {
"type": "apiKey",
"name": "key",
"in": "query"
}
},
All the calls below are NOT rejected, but I expect they are:
- https://core-dot-gcp-project.appspot.com/_ah/api/myApi/v1/list
- https://core-dot-gcp-project.appspot.com/_ah/api/myApi/v1/list?key=FAKE_API_KEY
- calls from the API Explorer with no API Key configured
- and even from local server: http://localhost:8080/_ah/api/myApi/v1/list
It looks like the apiKeyRequired
annotation parameter does not have any effect.
Do I miss something here?