在 java 中使用 API 密钥限制我的端点

Question

我正在使用适用于 java 的云端点 v2。我的问题是任何人都可以通过 API Explorer 或直接从某人知道的 URL 访问这些端点方法。我想保护我的端点。我阅读了如何使用 API KEY 限制整个 API 或某些方法的文档。 Restricting API Access with API Keys

这是我正在尝试的。

@Api(
        name = "zeem",
        version = "v1"
)

public class Account {
@ApiMethod(name = "getRegistration", path = "getRegistration", apiKeyRequired = AnnotationBoolean.TRUE)
public Registered getRegistration(@Named("phone") Long phone){
  // code ....
}

我可以在没有任何 API 密钥的情况下运行此方法，并且它可以成功运行。
即使我尝试直接从 url 访问此方法，它也可以工作。

http://localhost:8080/_ah/api/zeem/v1/getRegistration?phone=123 // Successfully getting response

你能告诉我我做错了什么吗？有什么我想念的吗？

更新-OpenAPI 文档

是的，我正在添加 API 管理这里是 openapi.json 这个函数的样子。

    "/zeem/v1/getRegistration": {
   "get": {
    "operationId": "ZeemGetRegistration",
    "parameters": [
     {
      "name": "phone",
      "in": "query",
      "required": true,
      "type": "integer",
      "format": "int64"
     }
    ],
    "responses": {
     "200": {
      "description": "A successful response",
      "schema": {
       "$ref": "#/definitions/Registered"
      }
     }
    },
    "security": [
     {
      "api_key": [ ]
     }
    ]
   }
  },

这是控制台的外观。

我错过了什么？

更新：Web.xml

<?xml version="1.0" encoding="utf-8"?>
<!-- [START_EXCLUDE] -->
<!--
  Copyright 2016 Google Inc.
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.
  You may obtain a copy of the License at
        http://www.apache.org/licenses/LICENSE-2.0
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- [END_EXCLUDE] -->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
         http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         version="3.1">

  <welcome-file-list>
    <welcome-file>welcome</welcome-file>
  </welcome-file-list>

  <!-- OBJECTIFY -->
  <filter>
    <filter-name>ObjectifyFilter</filter-name>
    <filter-class>com.googlecode.objectify.ObjectifyFilter</filter-class>
  </filter>
    <filter-mapping>
        <filter-name>ObjectifyFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

  <!-- ENDPOINTS -->
  <servlet>
        <servlet-name>EndpointsServlet</servlet-name>
        <servlet-class>com.google.api.server.spi.EndpointsServlet</servlet-class>
        <init-param>
            <param-name>services</param-name>
            <param-value>
                org.octabyte.zeem.API.Account,
                org.octabyte.zeem.API.CommentApi,
                org.octabyte.zeem.API.FriendApi,
                org.octabyte.zeem.API.ListApi,
                org.octabyte.zeem.API.PostApi,
                org.octabyte.zeem.API.SearchApi,
                org.octabyte.zeem.API.UserApi,
                org.octabyte.zeem.API.StoryApi
            </param-value>
        </init-param>
    </servlet>
    <!-- Route API method requests to the backend. -->
    <servlet-mapping>
        <servlet-name>EndpointsServlet</servlet-name>
        <url-pattern>/_ah/api/*</url-pattern>
    </servlet-mapping>


    <!-- Security -->
    <security-role>
        <role-name>admin</role-name>
    </security-role>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>admin</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>

</web-app>

Answer 1

对什么是 API 密钥访问限制存在误解。 API key restriction 用于限制密钥可以访问的API，它不以任何形式或形式处理用户的身份验证。

有几种方法可以对 Endpoints 的用户进行身份验证，例如，您可以使用 API management 或者您可以考虑使用 OpenAPI。