Package com.amazonaws.auth
Class AWS4Signer
- java.lang.Object
-
- com.amazonaws.auth.AbstractAWSSigner
-
- com.amazonaws.auth.AWS4Signer
-
- All Implemented Interfaces:
Presigner
,RegionAwareSigner
,ServiceAwareSigner
,Signer
public class AWS4Signer extends AbstractAWSSigner implements ServiceAwareSigner, RegionAwareSigner, Presigner
Signer implementation that signs requests with the AWS4 signing protocol.
-
-
Field Summary
Fields Modifier and Type Field Description protected boolean
doubleUrlEncode
Whether double url-encode the resource path when constructing the canonical request.protected static InternalLogApi
log
protected Date
overriddenDate
Date override for testing onlyprotected String
regionName
Region name override for use when the endpoint can't be used to determine the region name.protected String
serviceName
Service name override for use when the endpoint can't be used to determine the service name.-
Fields inherited from class com.amazonaws.auth.AbstractAWSSigner
EMPTY_STRING_SHA256_HEX
-
-
Constructor Summary
Constructors Constructor Description AWS4Signer()
Construct a new AWS4 signer instance.AWS4Signer(boolean doubleUrlEncoding)
Construct a new AWS4 signer instance.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
addHostHeader(SignableRequest<?> request)
protected void
addSessionCredentials(SignableRequest<?> request, AWSSessionCredentials credentials)
Adds session credentials to the request given.protected String
calculateContentHash(SignableRequest<?> request)
Calculate the hash of the request's payload.protected String
calculateContentHashPresign(SignableRequest<?> request)
Calculate the hash of the request's payload.protected byte[]
computeSignature(String stringToSign, byte[] signingKey, com.amazonaws.auth.internal.AWS4SignerRequestParams signerRequestParams)
Step 3 of the AWS Signature version 4 calculation.protected String
createCanonicalRequest(SignableRequest<?> request, String contentSha256)
Step 1 of the AWS Signature version 4 calculation.protected String
createStringToSign(String canonicalRequest, com.amazonaws.auth.internal.AWS4SignerRequestParams signerParams)
Step 2 of the AWS Signature version 4 calculation.protected String
getCanonicalizedHeaderString(SignableRequest<?> request)
Date
getOverriddenDate()
Returns a copy of date that overrides the signing date in the request.String
getRegionName()
Returns the region name that is used when calculating the signature.String
getServiceName()
Returns the service name that is used when calculating the signature.protected String
getSignedHeadersString(SignableRequest<?> request)
void
presignRequest(SignableRequest<?> request, AWSCredentials credentials, Date userSpecifiedExpirationDate)
Signs the request by adding the signature to the URL rather than as a header.protected void
processRequestPayload(SignableRequest<?> request, byte[] signature, byte[] signingKey, com.amazonaws.auth.internal.AWS4SignerRequestParams signerRequestParams)
Subclass could override this method to perform any additional procedure on the request payload, with access to the result from signing the header.void
setRegionName(String regionName)
Sets the region name that this signer should use when calculating request signatures.void
setServiceName(String serviceName)
Sets the service name that this signer should use when calculating request signatures.protected boolean
shouldExcludeHeaderFromSigning(String header)
void
sign(SignableRequest<?> request, AWSCredentials credentials)
Sign the given request with the given set of credentials.-
Methods inherited from class com.amazonaws.auth.AbstractAWSSigner
getBinaryRequestPayload, getBinaryRequestPayloadStream, getBinaryRequestPayloadStreamWithoutQueryParams, getBinaryRequestPayloadWithoutQueryParams, getCanonicalizedEndpoint, getCanonicalizedQueryString, getCanonicalizedQueryString, getCanonicalizedResourcePath, getCanonicalizedResourcePath, getRequestPayload, getRequestPayloadWithoutQueryParams, getSignatureDate, getTimeOffset, hash, hash, hash, newString, sanitizeCredentials, sign, sign, signAndBase64Encode, signAndBase64Encode, signWithMac
-
-
-
-
Field Detail
-
log
protected static final InternalLogApi log
-
serviceName
protected String serviceName
Service name override for use when the endpoint can't be used to determine the service name.
-
regionName
protected String regionName
Region name override for use when the endpoint can't be used to determine the region name.
-
overriddenDate
protected Date overriddenDate
Date override for testing only
-
doubleUrlEncode
protected boolean doubleUrlEncode
Whether double url-encode the resource path when constructing the canonical request. By default, we enable double url-encoding. TODO: Different sigv4 services seem to be inconsistent on this. So for services that want to suppress this, they should use new AWS4Signer(false).
-
-
Constructor Detail
-
AWS4Signer
public AWS4Signer()
Construct a new AWS4 signer instance. By default, enable double url-encoding.
-
AWS4Signer
public AWS4Signer(boolean doubleUrlEncoding)
Construct a new AWS4 signer instance.- Parameters:
doubleUrlEncoding
- Whether double url-encode the resource path when constructing the canonical request.
-
-
Method Detail
-
setServiceName
public void setServiceName(String serviceName)
Sets the service name that this signer should use when calculating request signatures. This can almost always be determined directly from the request's end point, so you shouldn't need this method, but it's provided for the edge case where the information is not in the endpoint.- Specified by:
setServiceName
in interfaceServiceAwareSigner
- Parameters:
serviceName
- The service name to use when calculating signatures in this signer.
-
setRegionName
public void setRegionName(String regionName)
Sets the region name that this signer should use when calculating request signatures. This can almost always be determined directly from the request's end point, so you shouldn't need this method, but it's provided for the edge case where the information is not in the endpoint.- Specified by:
setRegionName
in interfaceRegionAwareSigner
- Parameters:
regionName
- The region name to use when calculating signatures in this signer.
-
getRegionName
public String getRegionName()
Returns the region name that is used when calculating the signature.
-
getServiceName
public String getServiceName()
Returns the service name that is used when calculating the signature.
-
getOverriddenDate
public Date getOverriddenDate()
Returns a copy of date that overrides the signing date in the request. Return null by default.
-
sign
public void sign(SignableRequest<?> request, AWSCredentials credentials)
Description copied from interface:Signer
Sign the given request with the given set of credentials. Modifies the passed-in request to apply the signature.
-
presignRequest
public void presignRequest(SignableRequest<?> request, AWSCredentials credentials, Date userSpecifiedExpirationDate)
Description copied from interface:Presigner
Signs the request by adding the signature to the URL rather than as a header. This method is expected to modify the passed-in request to add the signature.- Specified by:
presignRequest
in interfacePresigner
- Parameters:
request
- The request to sign.credentials
- The credentials to sign it with.userSpecifiedExpirationDate
- The time when this presigned URL will expire.
-
createCanonicalRequest
protected String createCanonicalRequest(SignableRequest<?> request, String contentSha256)
Step 1 of the AWS Signature version 4 calculation. Refer to http://docs.aws .amazon.com/general/latest/gr/sigv4-create-canonical-request.html to generate the canonical request.
-
createStringToSign
protected String createStringToSign(String canonicalRequest, com.amazonaws.auth.internal.AWS4SignerRequestParams signerParams)
Step 2 of the AWS Signature version 4 calculation. Refer to http://docs.aws .amazon.com/general/latest/gr/sigv4-create-string-to-sign.html.
-
computeSignature
protected final byte[] computeSignature(String stringToSign, byte[] signingKey, com.amazonaws.auth.internal.AWS4SignerRequestParams signerRequestParams)
Step 3 of the AWS Signature version 4 calculation. It involves deriving the signing key and computing the signature. Refer to http://docs.aws.amazon .com/general/latest/gr/sigv4-calculate-signature.html
-
addSessionCredentials
protected void addSessionCredentials(SignableRequest<?> request, AWSSessionCredentials credentials)
Description copied from class:AbstractAWSSigner
Adds session credentials to the request given.- Specified by:
addSessionCredentials
in classAbstractAWSSigner
- Parameters:
request
- The request to add session credentials information tocredentials
- The session credentials to add to the request
-
getCanonicalizedHeaderString
protected String getCanonicalizedHeaderString(SignableRequest<?> request)
-
getSignedHeadersString
protected String getSignedHeadersString(SignableRequest<?> request)
-
shouldExcludeHeaderFromSigning
protected boolean shouldExcludeHeaderFromSigning(String header)
-
addHostHeader
protected void addHostHeader(SignableRequest<?> request)
-
calculateContentHash
protected String calculateContentHash(SignableRequest<?> request)
Calculate the hash of the request's payload. Subclass could override this method to provide different values for "x-amz-content-sha256" header or do any other necessary set-ups on the request headers. (e.g. aws-chunked uses a pre-defined header value, and needs to change some headers relating to content-encoding and content-length.)
-
processRequestPayload
protected void processRequestPayload(SignableRequest<?> request, byte[] signature, byte[] signingKey, com.amazonaws.auth.internal.AWS4SignerRequestParams signerRequestParams)
Subclass could override this method to perform any additional procedure on the request payload, with access to the result from signing the header. (e.g. Signing the payload by chunk-encoding). The default implementation doesn't need to do anything.
-
calculateContentHashPresign
protected String calculateContentHashPresign(SignableRequest<?> request)
Calculate the hash of the request's payload. In case of pre-sign, the existing code would generate the hash of an empty byte array and returns it. This method can be overridden by sub classes to provide different values (e.g) For S3 pre-signing, the content hash calculation is different from the general implementation.
-
-