I have an application deployed on Google App Engine (GAE) for Java. I'm using Google Identity Toolkit for authentication (and not the standard Google Account based authentication provided by GAE). The front-end is GWT based.
I have some static content (image files) that is located in war/static/images folder. I want to restrict access to these files only to a subset of signed in users i.e. add authorization around these files. GAE provides security-constraits but that doesn't work for me as I'm not using Google Accounts, and even then, it doesn't provide full authorization based on my requirements.
What's the best way to add authorization around these static assets?
Google Appengine stores static files in another servers and not in the same application server as your app resides.
So you can't add any authorization check on it, you can use Google Cloud Storage and set acl's but again thats going to work only for google users , you cannot have your own authorization there as well.
So the answer is, you have to change statics files as resource files, and add routes to thoses files instead of direct access, then in your endpoints or controller you can add custom authorization based on session or access token or any other identity options, once the user authorized to access those files, you can serve those files as response.