0
votes

I have a Google project credible-nation-130012 to which I deployed an app written in Java. It uses the AppEngine standard environment. The only contents is a Google endpoint. You can see the sources at GitHub: https://github.com/mhdirkse/least-common-multiplier .

While not logged in with Google, I wanted to test my deployment. To do this, I visited https://credible-nation-130012.appspot.com/_ah/api/explorer using Firefox. My API did not appear. I pressed F12 for developer information and saw the following errors:

https://apis-explorer.appspot.com/apis-explorer/?base=https://credible-nation-130012.appspot.com/_ah/api#p/

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://credible-nation-130012.appspot.com/_ah/api/discovery/v1/apis. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).[Learn More] Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://credible-nation-130012.appspot.com/_ah/api/discovery/v1/apis. (Reason: CORS request did not succeed).[Learn More] Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://credible-nation-130012.appspot.com/_ah/api/discovery/v1/apis. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).[Learn More] Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://credible-nation-130012.appspot.com/_ah/api/discovery/v1/apis. (Reason: CORS request did not succeed).[Learn More]

Then I closed the tab and visited console.cloud.google.com to log in. After this my API appeared at https://credible-nation-130012.appspot.com/_ah/api/explorer and it worked.

I guess that the API explorer cannot properly access https://accounts.google.com. It expects to get back a header Access-Control-Allow-Origin but that is not present. Does this have anything to do with my application, or is it a bug in the API explorer? Or is this behavior intended by Google? Any help is welcome.

With kind regards,

Martijn Dirkse

By the way: I am demonstrating this project for a job application. If I get help on this question, I will make this clear on GitHub and in communication with possible employers.

2

2 Answers

1
votes

The issue is likely in your web.xml. You have set an admin auth constraint for all URLs, and API Explorer needs to access a certain URL path /_ah/api/discovery/v1/apis (and paths under it) to work. Remove the constraint or loosen it to exclude /_ah/api.

0
votes

I had had a security constraint in web.xml, as follows:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>all</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>admin</role-name>
  </auth-constraint>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

I think that was the error. This says that the URL credible-nation-130012.appspot.com/_ah/api/explorer requires the 'administrator' role. But remote applications accessing an endpoints API are not administrators. Putting this security constraint seems to be nonsense.

Restricting access to my API also is not that important. This is a toy project that I want to demonstrate.

I have seen that after logging out, it takes time before this has effect. I will check tomorrow whether my app behaves as intended.

I do not need help for now anymore.