com.amazonaws.auth

Class AWS4Signer

java.lang.Object

com.amazonaws.auth.AbstractAWSSigner

com.amazonaws.auth.AWS4Signer

All Implemented Interfaces:

EndpointPrefixAwareSigner, Presigner, RegionAwareSigner, RegionFromEndpointResolverAwareSigner, ServiceAwareSigner, Signer

Direct Known Subclasses:

AWS4UnsignedPayloadSigner

public class AWS4Signer
extends AbstractAWSSigner
implements ServiceAwareSigner, RegionAwareSigner, Presigner, EndpointPrefixAwareSigner, RegionFromEndpointResolverAwareSigner

Signer implementation that signs requests with the AWS4 signing protocol.

Field Summary

Fields

Modifier and Type	Field and Description
protected boolean	doubleUrlEncode Whether double url-encode the resource path when constructing the canonical request.
protected static InternalLogApi	log
protected Date	overriddenDate Date override for testing only
protected String	regionName Region name override for use when the endpoint can't be used to determine the region name.
protected String	serviceName Service name override for use when the endpoint can't be used to determine the service name.

Fields inherited from class com.amazonaws.auth.AbstractAWSSigner

EMPTY_STRING_SHA256_HEX

Constructor Summary

Constructors

Constructor and Description
AWS4Signer() Construct a new AWS4 signer instance.
AWS4Signer(boolean doubleUrlEncoding) Construct a new AWS4 signer instance.
AWS4Signer(SdkClock clock)

Method Summary

Modifier and Type	Method and Description
protected void	addHostHeader(SignableRequest<?> request)
protected void	addSessionCredentials(SignableRequest<?> request, AWSSessionCredentials credentials) Adds session credentials to the request given.
protected String	calculateContentHash(SignableRequest<?> request) Calculate the hash of the request's payload.
protected String	calculateContentHashPresign(SignableRequest<?> request) Calculate the hash of the request's payload.
protected byte[]	computeSignature(String stringToSign, byte[] signingKey, AWS4SignerRequestParams signerRequestParams) Step 3 of the AWS Signature version 4 calculation.
protected String	createCanonicalRequest(SignableRequest<?> request, String contentSha256) Step 1 of the AWS Signature version 4 calculation.
protected String	createStringToSign(String canonicalRequest, AWS4SignerRequestParams signerParams) Step 2 of the AWS Signature version 4 calculation.
protected String	getCanonicalizedHeaderString(SignableRequest<?> request)
Date	getOverriddenDate() Returns a copy of date that overrides the signing date in the request.
String	getRegionName() Returns the region name that is used when calculating the signature.
String	getServiceName() Returns the service name that is used when calculating the signature.
protected String	getSignedHeadersString(SignableRequest<?> request)
protected byte[]	newSigningKey(AWSCredentials credentials, String dateStamp, String regionName, String serviceName) Generates a new signing key from the given parameters and returns it.
void	presignRequest(SignableRequest<?> request, AWSCredentials credentials, Date userSpecifiedExpirationDate) Signs the request by adding the signature to the URL rather than as a header.
protected void	processRequestPayload(SignableRequest<?> request, byte[] signature, byte[] signingKey, AWS4SignerRequestParams signerRequestParams) Subclass could override this method to perform any additional procedure on the request payload, with access to the result from signing the header.
void	setEndpointPrefix(String endpointPrefix) Sets the endpoint prefix which is used to compute the region that is used for signing the request.
void	setOverrideDate(Date overriddenDate) Sets the date that overrides the signing date in the request.
void	setRegionFromEndpointResolver(RegionFromEndpointResolver resolver) Set the RegionFromEndpointResolver to use when converting an endpoint into a region.
void	setRegionName(String regionName) Sets the region name that this signer should use when calculating request signatures.
void	setServiceName(String serviceName) Sets the service name that this signer should use when calculating request signatures.
protected boolean	shouldExcludeHeaderFromSigning(String header)
void	sign(SignableRequest<?> request, AWSCredentials credentials) Sign the given request with the given set of credentials.

Methods inherited from class com.amazonaws.auth.AbstractAWSSigner

getBinaryRequestPayload, getBinaryRequestPayloadStream, getBinaryRequestPayloadStreamWithoutQueryParams, getBinaryRequestPayloadWithoutQueryParams, getCanonicalizedEndpoint, getCanonicalizedQueryString, getCanonicalizedQueryString, getCanonicalizedResourcePath, getCanonicalizedResourcePath, getRequestPayload, getRequestPayloadWithoutQueryParams, getSignatureDate, getTimeOffset, hash, hash, hash, newString, sanitizeCredentials, sign, sign, signAndBase64Encode, signAndBase64Encode, signWithMac

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

protected static final InternalLogApi log

serviceName

protected String serviceName

Service name override for use when the endpoint can't be used to determine the service name.

regionName

protected String regionName

Region name override for use when the endpoint can't be used to determine the region name.

overriddenDate

protected Date overriddenDate

Date override for testing only

doubleUrlEncode

protected boolean doubleUrlEncode

Whether double url-encode the resource path when constructing the canonical request. By default, we enable double url-encoding. TODO: Different sigv4 services seem to be inconsistent on this. So for services that want to suppress this, they should use new AWS4Signer(false).

Constructor Detail

AWS4Signer

public AWS4Signer()

Construct a new AWS4 signer instance. By default, enable double url-encoding.

AWS4Signer

public AWS4Signer(boolean doubleUrlEncoding)

Construct a new AWS4 signer instance.

Parameters:

doubleUrlEncoding - Whether double url-encode the resource path when constructing the canonical request.

AWS4Signer

public AWS4Signer(SdkClock clock)

Method Detail

setServiceName

public void setServiceName(String serviceName)

Sets the service name that this signer should use when calculating request signatures. This can almost always be determined directly from the request's end point, so you shouldn't need this method, but it's provided for the edge case where the information is not in the endpoint.

Specified by:

setServiceName in interface ServiceAwareSigner

Parameters:

serviceName - The service name to use when calculating signatures in this signer.

setRegionName

public void setRegionName(String regionName)

Sets the region name that this signer should use when calculating request signatures. This can almost always be determined directly from the request's end point, so you shouldn't need this method, but it's provided for the edge case where the information is not in the endpoint.

Specified by:

setRegionName in interface RegionAwareSigner

Parameters:

regionName - The region name to use when calculating signatures in this signer.

setEndpointPrefix

public void setEndpointPrefix(String endpointPrefix)

Sets the endpoint prefix which is used to compute the region that is used for signing the request. This value is passed to AWS4SignerRequestParams class which has the logic to compute region.

Specified by:

setEndpointPrefix in interface EndpointPrefixAwareSigner

Parameters:

endpointPrefix - The endpoint prefix of the service

setOverrideDate

public void setOverrideDate(Date overriddenDate)

Sets the date that overrides the signing date in the request. This method is internal and should be used only for testing purposes.

setRegionFromEndpointResolver

public void setRegionFromEndpointResolver(RegionFromEndpointResolver resolver)

Description copied from interface: RegionFromEndpointResolverAwareSigner

Set the RegionFromEndpointResolver to use when converting an endpoint into a region.

Specified by:

setRegionFromEndpointResolver in interface RegionFromEndpointResolverAwareSigner

getRegionName

public String getRegionName()

Returns the region name that is used when calculating the signature.

getServiceName

public String getServiceName()

Returns the service name that is used when calculating the signature.

getOverriddenDate

public Date getOverriddenDate()

Returns a copy of date that overrides the signing date in the request. Return null by default.

sign

public void sign(SignableRequest<?> request,
                 AWSCredentials credentials)

Description copied from interface: Signer

Sign the given request with the given set of credentials. Modifies the passed-in request to apply the signature.

Specified by:

sign in interface Signer

Parameters:

request - The request to sign.

credentials - The credentials to sign the request with.

presignRequest

public void presignRequest(SignableRequest<?> request,
                           AWSCredentials credentials,
                           Date userSpecifiedExpirationDate)

Description copied from interface: Presigner

Signs the request by adding the signature to the URL rather than as a header. This method is expected to modify the passed-in request to add the signature.

Specified by:

presignRequest in interface Presigner

Parameters:

request - The request to sign.

credentials - The credentials to sign it with.

userSpecifiedExpirationDate - The time when this presigned URL will expire.

createCanonicalRequest

protected String createCanonicalRequest(SignableRequest<?> request,
                                        String contentSha256)

Step 1 of the AWS Signature version 4 calculation. Refer to http://docs.aws .amazon.com/general/latest/gr/sigv4-create-canonical-request.html to generate the canonical request.

createStringToSign

protected String createStringToSign(String canonicalRequest,
                                    AWS4SignerRequestParams signerParams)

Step 2 of the AWS Signature version 4 calculation. Refer to http://docs.aws .amazon.com/general/latest/gr/sigv4-create-string-to-sign.html.

computeSignature

protected final byte[] computeSignature(String stringToSign,
                                        byte[] signingKey,
                                        AWS4SignerRequestParams signerRequestParams)

Step 3 of the AWS Signature version 4 calculation. It involves deriving the signing key and computing the signature. Refer to http://docs.aws.amazon .com/general/latest/gr/sigv4-calculate-signature.html

addSessionCredentials

protected void addSessionCredentials(SignableRequest<?> request,
                                     AWSSessionCredentials credentials)

Description copied from class: AbstractAWSSigner

Adds session credentials to the request given.

Specified by:

addSessionCredentials in class AbstractAWSSigner

Parameters:

request - The request to add session credentials information to

credentials - The session credentials to add to the request

getCanonicalizedHeaderString

protected String getCanonicalizedHeaderString(SignableRequest<?> request)

getSignedHeadersString

protected String getSignedHeadersString(SignableRequest<?> request)

shouldExcludeHeaderFromSigning

protected boolean shouldExcludeHeaderFromSigning(String header)

addHostHeader

protected void addHostHeader(SignableRequest<?> request)

calculateContentHash

protected String calculateContentHash(SignableRequest<?> request)

Calculate the hash of the request's payload. Subclass could override this method to provide different values for "x-amz-content-sha256" header or do any other necessary set-ups on the request headers. (e.g. aws-chunked uses a pre-defined header value, and needs to change some headers relating to content-encoding and content-length.)

processRequestPayload

protected void processRequestPayload(SignableRequest<?> request,
                                     byte[] signature,
                                     byte[] signingKey,
                                     AWS4SignerRequestParams signerRequestParams)

Subclass could override this method to perform any additional procedure on the request payload, with access to the result from signing the header. (e.g. Signing the payload by chunk-encoding). The default implementation doesn't need to do anything.

calculateContentHashPresign

protected String calculateContentHashPresign(SignableRequest<?> request)

Calculate the hash of the request's payload. In case of pre-sign, the existing code would generate the hash of an empty byte array and returns it. This method can be overridden by sub classes to provide different values (e.g) For S3 pre-signing, the content hash calculation is different from the general implementation.

newSigningKey

protected byte[] newSigningKey(AWSCredentials credentials,
                               String dateStamp,
                               String regionName,
                               String serviceName)

Generates a new signing key from the given parameters and returns it.