When your application utilizes the Google Accounts service, the Users API can
determine whether the current user has signed in using her Google account. If she is
not currently signed in, the service can redirect her to a sign-in page customized with
text for your application, or it can allow her to create a new Google account. After the
user signs in or creates an account, the service will redirect her back to your original
page. Google takes care of generating the sign-in and sign-out URLs for you and can
either display the URL to the user or automatically redirect them.
Another feature of the service is that it can distinguish admin users from regular
users. So if the current user is an administrator for the application or a Google Apps
user marked as an administrator, you can present them with an admin interface or
another context specific to their profile. However, if you need to implement additional
profiles, again, you will need to create your own authentication framework to achieve
this level of functionality.
Restricting Access to Resources
In addition to restricting your entire application to authenticated users, you can
specify access restrictions for certain URLs or URL paths based on the user's account.
You configure access restrictions in the deployment descriptor by defining a series of
<security-constraint> elements for URLs based on pattern matching. In addition to
the URL, the security constraint also specifies the Google Accounts users or role. App
Engine only supports * (“all users”) and admin roles. It does not support custom
The process works the same as if you are restricting your entire application to
authenticated users. If an unauthenticated user attempts to access a URL that
matches a security constraint defined in the deployment descriptor, App Engine
redirects him to the Google Accounts sign-in page. After he has logged in successfully,
the service redirects him back to the original URL. Listing 6-1 provides a sample
deployment descriptor using this approach.
Listing 6-1. The web.xml deployment descriptor with security constraints