com.amazonaws.services.cloudfront

Enum CloudFrontUrlSigner

java.lang.Object

java.lang.Enum<CloudFrontUrlSigner>

com.amazonaws.services.cloudfront.CloudFrontUrlSigner

All Implemented Interfaces:

Serializable, Comparable<CloudFrontUrlSigner>

public enum CloudFrontUrlSigner
extends Enum<CloudFrontUrlSigner>

Utility class for generating pre-signed URLs for serving private CloudFront content. All dates must be in UTC. Use Calendar to set the timezone specifically before converting to a Date object, or else use DateUtils to turn a UTC date String into a Date object.

 Protocol protocol = Protocol.http;
 String distributionDomain = "d1b2c3a4g5h6.cloudfront.net";
 File privateKeyFile = new File("/path/to/cfcurlCloud/rsa-private-key.pem");
 String s3ObjectKey = "a/b/images.jpeg";
 String keyPairId = "APKAJCEOKRHC3XIVU5NA";
 Date dateLessThan = DateUtils.parseISO8601Date("2012-11-14T22:20:00.000Z");
 Date dateGreaterThan = DateUtils.parseISO8601Date("2011-11-14T22:20:00.000Z");
 String ipRange = "192.168.0.1/24";

 String url1 = CloudFrontUrlSigner.getSignedURLWithCannedPolicy(
              protocol, distributionDomain, privateKeyFile,
              s3ObjectKey, keyPairId, dateLessThan);

 String url2 = CloudFrontUrlSigner.getSignedURLWithCustomPolicy(
              protocol, distributionDomain, privateKeyFile,
              s3ObjectKey, keyPairId, dateLessThan,
              dateGreaterThan, ipRange);
 

See Also:

DateUtils

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	CloudFrontUrlSigner.Protocol Enumeration of protocols for presigned URLs

Method Summary

Modifier and Type	Method and Description
static String	buildCustomPolicyForSignedUrl(String resourcePath, Date epochDateLessThan, String limitToIpAddressCIDR, Date epochDateGreaterThan) Generate a policy document that describes custom access permissions to apply via a private distribution's signed URL.
static String	getSignedURLWithCannedPolicy(CloudFrontUrlSigner.Protocol protocol, String distributionDomain, File privateKeyFile, String s3ObjectKey, String keyPairId, Date dateLessThan) Returns a signed URL with a canned policy that grants universal access to private content until a given date.
static String	getSignedURLWithCannedPolicy(String resourceUrlOrPath, String keyPairId, PrivateKey privateKey, Date dateLessThan) Generate a signed URL that allows access to a specific distribution and S3 object by applying a access restrictions from a "canned" (simplified) policy document.
static String	getSignedURLWithCustomPolicy(CloudFrontUrlSigner.Protocol protocol, String distributionDomain, File privateKeyFile, String s3ObjectKey, String keyPairId, Date dateLessThan, Date dateGreaterThan, String ipRange) Returns a signed URL that provides tailored access to private content based on an access time window and an ip range.
static String	getSignedURLWithCustomPolicy(String resourceUrlOrPath, String keyPairId, PrivateKey privateKey, String policy) Generate a signed URL that allows access to distribution and S3 objects by applying access restrictions specified in a custom policy document.
static CloudFrontUrlSigner	valueOf(String name) Returns the enum constant of this type with the specified name.
static CloudFrontUrlSigner[]	values() Returns an array containing the constants of this enum type, in the order they are declared.

Methods inherited from class java.lang.Enum

clone, compareTo, equals, finalize, getDeclaringClass, hashCode, name, ordinal, toString, valueOf

Methods inherited from class java.lang.Object

getClass, notify, notifyAll, wait, wait, wait

Method Detail

values

public static CloudFrontUrlSigner[] values()

Returns an array containing the constants of this enum type, in the order they are declared. This method may be used to iterate over the constants as follows:

for (CloudFrontUrlSigner c : CloudFrontUrlSigner.values())
    System.out.println(c);

Returns:

an array containing the constants of this enum type, in the order they are declared

valueOf

public static CloudFrontUrlSigner valueOf(String name)

Returns the enum constant of this type with the specified name. The string must match exactly an identifier used to declare an enum constant in this type. (Extraneous whitespace characters are not permitted.)

Parameters:

name - the name of the enum constant to be returned.

Returns:

the enum constant with the specified name

Throws:

IllegalArgumentException - if this enum type has no constant with the specified name

NullPointerException - if the argument is null

getSignedURLWithCannedPolicy

public static String getSignedURLWithCannedPolicy(CloudFrontUrlSigner.Protocol protocol,
                                                  String distributionDomain,
                                                  File privateKeyFile,
                                                  String s3ObjectKey,
                                                  String keyPairId,
                                                  Date dateLessThan)
                                           throws InvalidKeySpecException,
                                                  IOException

Returns a signed URL with a canned policy that grants universal access to private content until a given date. For more information, see Overview of Signed URLs.

Parameters:

protocol - The protocol of the URL

distributionDomain - The domain name of the distribution

s3ObjectKey - The s3 key of the object, or the name of the stream for rtmp

privateKeyFile - The private key file. RSA private key (.pem) and pkcs8 (.der) files are supported.

keyPairId - The key pair id corresponding to the private key file given

dateLessThan - The expiration date of the signed URL in UTC

Returns:

The signed URL.

Throws:

InvalidKeySpecException

IOException

getSignedURLWithCustomPolicy

public static String getSignedURLWithCustomPolicy(CloudFrontUrlSigner.Protocol protocol,
                                                  String distributionDomain,
                                                  File privateKeyFile,
                                                  String s3ObjectKey,
                                                  String keyPairId,
                                                  Date dateLessThan,
                                                  Date dateGreaterThan,
                                                  String ipRange)
                                           throws InvalidKeySpecException,
                                                  IOException

Returns a signed URL that provides tailored access to private content based on an access time window and an ip range. For more information, see Overview of Signed URLs.

Parameters:

protocol - The protocol of the URL

distributionDomain - The domain name of the distribution

privateKeyFile - Your private key file. RSA private key (.pem) and pkcs8 (.der) files are supported.

s3ObjectKey - The s3 key of the object, or the name of the stream for rtmp

keyPairId - The key pair id corresponding to the private key file given

dateLessThan - The expiration date of the signed URL in UTC

dateGreaterThan - The beginning valid date of the signed URL in UTC

ipRange - The allowed IP address range of the client making the GET request, in CIDR form (e.g. 192.168.0.1/24).

Returns:

The signed URL.

Throws:

IOException

InvalidKeySpecException

getSignedURLWithCustomPolicy

public static String getSignedURLWithCustomPolicy(String resourceUrlOrPath,
                                                  String keyPairId,
                                                  PrivateKey privateKey,
                                                  String policy)

Generate a signed URL that allows access to distribution and S3 objects by applying access restrictions specified in a custom policy document. For more information, see Overview of Signed URLs.

Parameters:

resourceUrlOrPath - The URL or path that uniquely identifies a resource within a distribution. For standard distributions the resource URL will be "http://" + distributionName + "/" + objectKey (may also include URL parameters. For distributions with the HTTPS required protocol, the resource URL must start with "https://". RTMP resources do not take the form of a URL, and instead the resource path is nothing but the stream's name.

keyPairId - Identifier of a public/private certificate keypair already configured in your Amazon Web Services account.

privateKey - The RSA private key data that corresponding to the certificate keypair identified by keyPairId.

policy - A policy document that describes the access permissions that will be applied by the signed URL. To generate a custom policy use

Returns:

A signed URL that will permit access to distribution and S3 objects as specified in the policy document.

getSignedURLWithCannedPolicy

public static String getSignedURLWithCannedPolicy(String resourceUrlOrPath,
                                                  String keyPairId,
                                                  PrivateKey privateKey,
                                                  Date dateLessThan)

Generate a signed URL that allows access to a specific distribution and S3 object by applying a access restrictions from a "canned" (simplified) policy document. For more information, see Overview of Signed URLs.

Parameters:

resourceUrlOrPath - The URL or path that uniquely identifies a resource within a distribution. For standard distributions the resource URL will be "http://" + distributionName + "/" + objectKey (may also include URL parameters. For distributions with the HTTPS required protocol, the resource URL must start with "https://". RTMP resources do not take the form of a URL, and instead the resource path is nothing but the stream's name.

keyPairId - Identifier of a public/private certificate keypair already configured in your Amazon Web Services account.

privateKey - The private key data that corresponding to the keypair identified by keyPairId

dateLessThan - The UTC time and date when the signed URL will expire. REQUIRED.

Returns:

A signed URL that will permit access to a specific distribution and S3 object.

buildCustomPolicyForSignedUrl

public static String buildCustomPolicyForSignedUrl(String resourcePath,
                                                   Date epochDateLessThan,
                                                   String limitToIpAddressCIDR,
                                                   Date epochDateGreaterThan)

Generate a policy document that describes custom access permissions to apply via a private distribution's signed URL.

Parameters:

resourcePath - An optional HTTP/S or RTMP resource path that restricts which distribution and S3 objects will be accessible in a signed URL. For standard distributions the resource URL will be "http://" + distributionName + "/" + objectKey (may also include URL parameters. For distributions with the HTTPS required protocol, the resource URL must start with "https://". RTMP resources do not take the form of a URL, and instead the resource path is nothing but the stream's name. The '*' and '?' characters can be used as a wildcards to allow multi-character or single-character matches respectively:

• * : All distributions/objects will be accessible
• a1b2c3d4e5f6g7.cloudfront.net/* : All objects within the distribution a1b2c3d4e5f6g7 will be accessible
• a1b2c3d4e5f6g7.cloudfront.net/path/to/object.txt : Only the S3 object named path/to/object.txt in the distribution a1b2c3d4e5f6g7 will be accessible.

If this parameter is null the policy will permit access to all distributions and S3 objects associated with the certificate keypair used to generate the signed URL.

epochDateLessThan - The UTC time and date when the signed URL will expire. REQUIRED.

limitToIpAddressCIDR - An optional range of client IP addresses that will be allowed to access the distribution, specified as a CIDR range. If null, the CIDR will be 0.0.0.0/0 and any client will be permitted.

epochDateGreaterThan - An optional UTC time and date when the signed URL will become active. If null, the signed URL will be active as soon as it is created.

Returns:

A policy document describing the access permission to apply when generating a signed URL.