Class AWS4Signer

All Implemented Interfaces:
Presigner, RegionAwareSigner, ServiceAwareSigner, Signer

public class AWS4Signer extends AbstractAWSSigner implements ServiceAwareSigner, RegionAwareSigner, Presigner
Signer implementation that signs requests with the AWS4 signing protocol.
  • Field Details

    • log

      protected static final InternalLogApi log
    • serviceName

      protected String serviceName
      Service name override for use when the endpoint can't be used to determine the service name.
    • regionName

      protected String regionName
      Region name override for use when the endpoint can't be used to determine the region name.
    • overriddenDate

      protected Date overriddenDate
      Date override for testing only
    • doubleUrlEncode

      protected boolean doubleUrlEncode
      Whether double url-encode the resource path when constructing the canonical request. By default, we enable double url-encoding. TODO: Different sigv4 services seem to be inconsistent on this. So for services that want to suppress this, they should use new AWS4Signer(false).
  • Constructor Details

    • AWS4Signer

      public AWS4Signer()
      Construct a new AWS4 signer instance. By default, enable double url-encoding.
    • AWS4Signer

      public AWS4Signer(boolean doubleUrlEncoding)
      Construct a new AWS4 signer instance.
      Parameters:
      doubleUrlEncoding - Whether double url-encode the resource path when constructing the canonical request.
  • Method Details

    • setServiceName

      public void setServiceName(String serviceName)
      Sets the service name that this signer should use when calculating request signatures. This can almost always be determined directly from the request's end point, so you shouldn't need this method, but it's provided for the edge case where the information is not in the endpoint.
      Specified by:
      setServiceName in interface ServiceAwareSigner
      Parameters:
      serviceName - The service name to use when calculating signatures in this signer.
    • setRegionName

      public void setRegionName(String regionName)
      Sets the region name that this signer should use when calculating request signatures. This can almost always be determined directly from the request's end point, so you shouldn't need this method, but it's provided for the edge case where the information is not in the endpoint.
      Specified by:
      setRegionName in interface RegionAwareSigner
      Parameters:
      regionName - The region name to use when calculating signatures in this signer.
    • getRegionName

      public String getRegionName()
      Returns the region name that is used when calculating the signature.
    • getServiceName

      public String getServiceName()
      Returns the service name that is used when calculating the signature.
    • getOverriddenDate

      public Date getOverriddenDate()
      Returns a copy of date that overrides the signing date in the request. Return null by default.
    • sign

      public void sign(SignableRequest<?> request, AWSCredentials credentials)
      Description copied from interface: Signer
      Sign the given request with the given set of credentials. Modifies the passed-in request to apply the signature.
      Specified by:
      sign in interface Signer
      Parameters:
      request - The request to sign.
      credentials - The credentials to sign the request with.
    • presignRequest

      public void presignRequest(SignableRequest<?> request, AWSCredentials credentials, Date userSpecifiedExpirationDate)
      Description copied from interface: Presigner
      Signs the request by adding the signature to the URL rather than as a header. This method is expected to modify the passed-in request to add the signature.
      Specified by:
      presignRequest in interface Presigner
      Parameters:
      request - The request to sign.
      credentials - The credentials to sign it with.
      userSpecifiedExpirationDate - The time when this presigned URL will expire.
    • createCanonicalRequest

      protected String createCanonicalRequest(SignableRequest<?> request, String contentSha256)
      Step 1 of the AWS Signature version 4 calculation. Refer to http://docs.aws .amazon.com/general/latest/gr/sigv4-create-canonical-request.html to generate the canonical request.
    • createStringToSign

      protected String createStringToSign(String canonicalRequest, com.amazonaws.auth.internal.AWS4SignerRequestParams signerParams)
      Step 2 of the AWS Signature version 4 calculation. Refer to http://docs.aws .amazon.com/general/latest/gr/sigv4-create-string-to-sign.html.
    • computeSignature

      protected final byte[] computeSignature(String stringToSign, byte[] signingKey, com.amazonaws.auth.internal.AWS4SignerRequestParams signerRequestParams)
      Step 3 of the AWS Signature version 4 calculation. It involves deriving the signing key and computing the signature. Refer to http://docs.aws.amazon .com/general/latest/gr/sigv4-calculate-signature.html
    • addSessionCredentials

      protected void addSessionCredentials(SignableRequest<?> request, AWSSessionCredentials credentials)
      Description copied from class: AbstractAWSSigner
      Adds session credentials to the request given.
      Specified by:
      addSessionCredentials in class AbstractAWSSigner
      Parameters:
      request - The request to add session credentials information to
      credentials - The session credentials to add to the request
    • getCanonicalizedHeaderString

      protected String getCanonicalizedHeaderString(SignableRequest<?> request)
    • getSignedHeadersString

      protected String getSignedHeadersString(SignableRequest<?> request)
    • shouldExcludeHeaderFromSigning

      protected boolean shouldExcludeHeaderFromSigning(String header)
    • addHostHeader

      protected void addHostHeader(SignableRequest<?> request)
    • calculateContentHash

      protected String calculateContentHash(SignableRequest<?> request)
      Calculate the hash of the request's payload. Subclass could override this method to provide different values for "x-amz-content-sha256" header or do any other necessary set-ups on the request headers. (e.g. aws-chunked uses a pre-defined header value, and needs to change some headers relating to content-encoding and content-length.)
    • processRequestPayload

      protected void processRequestPayload(SignableRequest<?> request, byte[] signature, byte[] signingKey, com.amazonaws.auth.internal.AWS4SignerRequestParams signerRequestParams)
      Subclass could override this method to perform any additional procedure on the request payload, with access to the result from signing the header. (e.g. Signing the payload by chunk-encoding). The default implementation doesn't need to do anything.
    • calculateContentHashPresign

      protected String calculateContentHashPresign(SignableRequest<?> request)
      Calculate the hash of the request's payload. In case of pre-sign, the existing code would generate the hash of an empty byte array and returns it. This method can be overridden by sub classes to provide different values (e.g) For S3 pre-signing, the content hash calculation is different from the general implementation.