{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 够拽才男人 的问题《How to securely establish communication between tw》','https://www.manongdao.com/q-546085.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
We have come across two apps made on google app engine (java) and we need to establish a secure communication between then. Basically we have:
APP1: "Public" APP that provides data in JSON format based on requests in JSON format. The data is private, subject just to the specific request.
APP2: "Internal/Not public" APP that request data to APP1 in JSON format and needs to receive response in JSON format.
The scenario above is working fine, we have both apps communicating between each other. However, we need this communication to be secure and we need to identify (authorization and authentication process) that is really the APP2 that is requesting data to the APP1.
We have thought of many approaches but we haven't come across a final solution, I was hoping someone has implemented something similar.
1) We thought about using oAuth, building a "Provider APP" and making APP2 subscribing to our APP1 through this provider. The reason for us to have look at this solution, it's that maybe in future we will allow a third party app (APP3) to consume the data from APP1 in a subscription mode.
Regards.
Requests from one app to another will always have the
X-AppEngine-Inbound-AppIdheader set to the AppID of the originating app. This header can't be forged by other apps or external services - it's sanitized by the App Engine system.As an editorial note, though, it's rarely a good idea to separate your app into two separate apps like this unless you really do have an API that could be used equally well by external services. Organizing your app's responsibilities internally is generally much more efficient and just as effective at separating concerns.
This functionality is now built into the App Engine API. Apps can securely assert their identity to other apps.
ref: http://code.google.com/appengine/docs/java/appidentity/overview.html#Asserting_Identity_to_Other_Systems