Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to encrypt GAE query cursors from Java

Tags:

java

encryption

google-app-engine

google-cloud-datastore

I want to pass a query cursor (a web safe String of about 120 length) to the client and according to gae docs:

Caution: Be careful when passing a Datastore cursor to a client, such as in a web form. Although the client cannot change the cursor value to access results outside of the original query, it is possible for it to decode the cursor to expose information about result entities, such as the application ID, entity kind, key name or numeric ID, ancestor keys, and properties used in the query's filters and sort orders. If you don't want users to have access to that information, you can encrypt the cursor, or store it and provide the user with an opaque key.

What's a good way to achieve this? I would like a low cpu cost not so strong cypher/encryption algorithm that keeps the encrypted string as a web safe string.

like image 595
Federico Pugnali Avatar asked Mar 04 '26 09:03

Federico Pugnali

2 Answers

To round out the answers a bit, storing the cursor in the datastore and passing an opaque key to that, is a good approach. However, this approach requires to pay for more datastore ops.

The alternative, doing encryption/decryption of the cursor, isn't free either. You'll incur instance hours encrypting and decrypting the keys.

If you want symmetric-key encryption, the default choice is AES. It's fast and widely accepted as safe. The javax.crypto libraries are whitelisted on App Engine, so you can use them. Here's a quick snippet that should do what you want:

String password = "some value";
byte[] passwordBytes = password.getBytes(); 
Cipher cipher = Cipher.getInstance("AES"); 
cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(passwordBytes, "AES")); 
byte[] encryptedBytes = cipher.doFinal(cursor.toWebSafeString().getBytes());

Which approach is cheaper will depend on lots of things, and you'll have to do your own analysis. Using memcache in addition to either encryption or datastore is likely to make things cheaper.

like image 130
Dan Holevoet Avatar answered Mar 05 '26 22:03

Dan Holevoet

"store it and provide the user with an opaque key."

I would just store it and give the client a key to that instead.

If your happy with it being a temporary thing, you could chuck it in memcache to save money/time.

like image 28
matt burns Avatar answered Mar 06 '26 00:03

matt burns
Sign in to Comment

Related questions

Traverse an arraylist of objects and get the maximum quantity value from duplicate objects
JavaFX 60 fps frame rate cap doesn't work
Android: How can I port ExecuteScalar to Java?
How do I send images and text on the same Java socket?
How to supply parameters in Guice injections, while not breaking Guice-AOP method interception?
why WriteConcern is being ignored in MongoDB Java driver?
Android: How to use a ContentProvider to download a file using the DownloadManager to the internal storage?
Struts2 JQuery Plugin AutoCompleter does not work when selectBox="true" attribute is added

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!