com.amazonaws.auth

Class AWS4Signer

java.lang.Object

com.amazonaws.auth.AbstractAWSSigner

com.amazonaws.auth.AWS4Signer

All Implemented Interfaces:

Presigner, RegionAwareSigner, ServiceAwareSigner, Signer

public class AWS4Signer
extends AbstractAWSSigner
implements ServiceAwareSigner, RegionAwareSigner, Presigner

Signer implementation that signs requests with the AWS4 signing protocol.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected static class	AWS4Signer.HeaderSigningResult

Field Summary

Fields

Modifier and Type	Field and Description
protected static java.lang.String	ALGORITHM
protected boolean	doubleUrlEncode Whether double url-encode the resource path when constructing the canonical request.
protected static Log	log
protected java.util.Date	overriddenDate Date override for testing only
protected java.lang.String	regionName Region name override for use when the endpoint can't be used to determine the region name.
protected java.lang.String	serviceName Service name override for use when the endpoint can't be used to determine the service name.
protected static java.lang.String	TERMINATOR

Fields inherited from class com.amazonaws.auth.AbstractAWSSigner

EMPTY_STRING_SHA256_HEX

Constructor Summary

Constructors

Constructor and Description
AWS4Signer() Construct a new AWS4 signer instance.
AWS4Signer(boolean doubleUrlEncoding) Construct a new AWS4 signer instance.

Method Summary

Modifier and Type	Method and Description
protected void	addHostHeader(Request<?> request)
protected void	addSessionCredentials(Request<?> request, AWSSessionCredentials credentials) Adds session credentials to the request given.
protected java.lang.String	calculateContentHash(Request<?> request) Calculate the hash of the request's payload.
protected java.lang.String	calculateContentHashPresign(Request<?> request) Calculate the hash of the request's payload.
protected AWS4Signer.HeaderSigningResult	computeSignature(Request<?> request, java.lang.String dateStamp, java.lang.String timeStamp, java.lang.String algorithm, java.lang.String contentSha256, AWSCredentials sanitizedCredentials)
protected java.lang.String	extractRegionName(java.net.URI endpoint)
protected java.lang.String	extractServiceName(java.net.URI endpoint)
protected java.lang.String	getCanonicalizedHeaderString(Request<?> request)
protected java.lang.String	getCanonicalRequest(Request<?> request, java.lang.String contentSha256)
protected long	getDateFromRequest(Request<?> request)
protected java.lang.String	getDateStamp(long dateMilli)
protected java.lang.String	getScope(Request<?> request, java.lang.String dateStamp)
protected java.lang.String	getSignedHeadersString(Request<?> request)
protected java.lang.String	getStringToSign(java.lang.String algorithm, java.lang.String dateTime, java.lang.String scope, java.lang.String canonicalRequest)
protected java.lang.String	getTimeStamp(long dateMilli)
void	presignRequest(Request<?> request, AWSCredentials credentials, java.util.Date expiration) Signs the request by adding the signature to the URL rather than as a header.
protected void	processRequestPayload(Request<?> request, AWS4Signer.HeaderSigningResult headerSigningResult) Subclass could override this method to perform any additional procedure on the request payload, with access to the result from signing the header.
void	setRegionName(java.lang.String regionName) Sets the region name that this signer should use when calculating request signatures.
void	setServiceName(java.lang.String serviceName) Sets the service name that this signer should use when calculating request signatures.
void	sign(Request<?> request, AWSCredentials credentials) Sign the given request with the given set of credentials.

Methods inherited from class com.amazonaws.auth.AbstractAWSSigner

getBinaryRequestPayload, getBinaryRequestPayloadStream, getBinaryRequestPayloadStreamWithoutQueryParams, getBinaryRequestPayloadWithoutQueryParams, getCanonicalizedEndpoint, getCanonicalizedQueryString, getCanonicalizedQueryString, getCanonicalizedResourcePath, getCanonicalizedResourcePath, getRequestPayload, getRequestPayloadWithoutQueryParams, getSignatureDate, getTimeOffset, hash, hash, hash, newString, sanitizeCredentials, sign, sign, signAndBase64Encode, signAndBase64Encode

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ALGORITHM

protected static final java.lang.String ALGORITHM

See Also:

Constant Field Values

TERMINATOR

protected static final java.lang.String TERMINATOR

See Also:

Constant Field Values

serviceName

protected java.lang.String serviceName

Service name override for use when the endpoint can't be used to determine the service name.

regionName

protected java.lang.String regionName

Region name override for use when the endpoint can't be used to determine the region name.

overriddenDate

protected java.util.Date overriddenDate

Date override for testing only

doubleUrlEncode

protected boolean doubleUrlEncode

Whether double url-encode the resource path when constructing the canonical request. By default, we enable double url-encoding. TODO: Different sigv4 services seem to be inconsistent on this. So for services that want to suppress this, they should use new AWS4Signer(false).

log

protected static final Log log

Constructor Detail

AWS4Signer

public AWS4Signer()

Construct a new AWS4 signer instance. By default, enable double url-encoding.

AWS4Signer

public AWS4Signer(boolean doubleUrlEncoding)

Construct a new AWS4 signer instance.

Parameters:

doubleUrlEncoding - Whether double url-encode the resource path when constructing the canonical request.

Method Detail

sign

public void sign(Request<?> request,
                 AWSCredentials credentials)

Description copied from interface: Signer

Sign the given request with the given set of credentials. Modifies the passed-in request to apply the signature.

Specified by:

sign in interface Signer

Parameters:

request - The request to sign.

credentials - The credentials to sign the request with.

setServiceName

public void setServiceName(java.lang.String serviceName)

Sets the service name that this signer should use when calculating request signatures. This can almost always be determined directly from the request's end point, so you shouldn't need this method, but it's provided for the edge case where the information is not in the endpoint.

Specified by:

setServiceName in interface ServiceAwareSigner

Parameters:

serviceName - The service name to use when calculating signatures in this signer.

setRegionName

public void setRegionName(java.lang.String regionName)

Sets the region name that this signer should use when calculating request signatures. This can almost always be determined directly from the request's end point, so you shouldn't need this method, but it's provided for the edge case where the information is not in the endpoint.

Specified by:

setRegionName in interface RegionAwareSigner

Parameters:

regionName - The region name to use when calculating signatures in this signer.

addSessionCredentials

protected void addSessionCredentials(Request<?> request,
                                     AWSSessionCredentials credentials)

Description copied from class: AbstractAWSSigner

Adds session credentials to the request given.

Specified by:

addSessionCredentials in class AbstractAWSSigner

Parameters:

request - The request to add session credentials information to

credentials - The session credentials to add to the request

extractRegionName

protected java.lang.String extractRegionName(java.net.URI endpoint)

extractServiceName

protected java.lang.String extractServiceName(java.net.URI endpoint)

getCanonicalizedHeaderString

protected java.lang.String getCanonicalizedHeaderString(Request<?> request)

getSignedHeadersString

protected java.lang.String getSignedHeadersString(Request<?> request)

getCanonicalRequest

protected java.lang.String getCanonicalRequest(Request<?> request,
                                               java.lang.String contentSha256)

getStringToSign

protected java.lang.String getStringToSign(java.lang.String algorithm,
                                           java.lang.String dateTime,
                                           java.lang.String scope,
                                           java.lang.String canonicalRequest)

computeSignature

protected final AWS4Signer.HeaderSigningResult computeSignature(Request<?> request,
                                                                java.lang.String dateStamp,
                                                                java.lang.String timeStamp,
                                                                java.lang.String algorithm,
                                                                java.lang.String contentSha256,
                                                                AWSCredentials sanitizedCredentials)

getTimeStamp

protected final java.lang.String getTimeStamp(long dateMilli)

getDateStamp

protected final java.lang.String getDateStamp(long dateMilli)

getDateFromRequest

protected final long getDateFromRequest(Request<?> request)

addHostHeader

protected void addHostHeader(Request<?> request)

getScope

protected java.lang.String getScope(Request<?> request,
                                    java.lang.String dateStamp)

calculateContentHash

protected java.lang.String calculateContentHash(Request<?> request)

Calculate the hash of the request's payload. Subclass could override this method to provide different values for "x-amz-content-sha256" header or do any other necessary set-ups on the request headers. (e.g. aws-chunked uses a pre-defined header value, and needs to change some headers relating to content-encoding and content-length.)

processRequestPayload

protected void processRequestPayload(Request<?> request,
                                     AWS4Signer.HeaderSigningResult headerSigningResult)

Subclass could override this method to perform any additional procedure on the request payload, with access to the result from signing the header. (e.g. Signing the payload by chunk-encoding). The default implementation doesn't need to do anything.

presignRequest

public void presignRequest(Request<?> request,
                           AWSCredentials credentials,
                           java.util.Date expiration)

Description copied from interface: Presigner

Signs the request by adding the signature to the URL rather than as a header. This method is expected to modify the passed-in request to add the signature.

Specified by:

presignRequest in interface Presigner

Parameters:

request - The request to sign.

credentials - The credentials to sign it with.

expiration - The time when this presigned URL will expire.

calculateContentHashPresign

protected java.lang.String calculateContentHashPresign(Request<?> request)

Calculate the hash of the request's payload. In case of pre-sign, the existing code would generate the hash of an empty byte array and returns it. This method can be overridden by sub classes to provide different values (e.g) For S3 pre-signing, the content hash calculation is different from the general implementation.