Package com.amazonaws.auth
Class AWS4Signer
java.lang.Object
com.amazonaws.auth.AbstractAWSSigner
com.amazonaws.auth.AWS4Signer
- All Implemented Interfaces:
Presigner
,RegionAwareSigner
,ServiceAwareSigner
,Signer
public class AWS4Signer
extends AbstractAWSSigner
implements ServiceAwareSigner, RegionAwareSigner, Presigner
Signer implementation that signs requests with the AWS4 signing protocol.
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected boolean
Whether double url-encode the resource path when constructing the canonical request.protected static final InternalLogApi
protected Date
Date override for testing onlyprotected String
Region name override for use when the endpoint can't be used to determine the region name.protected String
Service name override for use when the endpoint can't be used to determine the service name.Fields inherited from class com.amazonaws.auth.AbstractAWSSigner
EMPTY_STRING_SHA256_HEX
-
Constructor Summary
ConstructorsConstructorDescriptionConstruct a new AWS4 signer instance.AWS4Signer
(boolean doubleUrlEncoding) Construct a new AWS4 signer instance. -
Method Summary
Modifier and TypeMethodDescriptionprotected void
addHostHeader
(SignableRequest<?> request) protected void
addSessionCredentials
(SignableRequest<?> request, AWSSessionCredentials credentials) Adds session credentials to the request given.protected String
calculateContentHash
(SignableRequest<?> request) Calculate the hash of the request's payload.protected String
calculateContentHashPresign
(SignableRequest<?> request) Calculate the hash of the request's payload.protected final byte[]
computeSignature
(String stringToSign, byte[] signingKey, com.amazonaws.auth.internal.AWS4SignerRequestParams signerRequestParams) Step 3 of the AWS Signature version 4 calculation.protected String
createCanonicalRequest
(SignableRequest<?> request, String contentSha256) Step 1 of the AWS Signature version 4 calculation.protected String
createStringToSign
(String canonicalRequest, com.amazonaws.auth.internal.AWS4SignerRequestParams signerParams) Step 2 of the AWS Signature version 4 calculation.protected String
getCanonicalizedHeaderString
(SignableRequest<?> request) Returns a copy of date that overrides the signing date in the request.Returns the region name that is used when calculating the signature.Returns the service name that is used when calculating the signature.protected String
getSignedHeadersString
(SignableRequest<?> request) void
presignRequest
(SignableRequest<?> request, AWSCredentials credentials, Date userSpecifiedExpirationDate) Signs the request by adding the signature to the URL rather than as a header.protected void
processRequestPayload
(SignableRequest<?> request, byte[] signature, byte[] signingKey, com.amazonaws.auth.internal.AWS4SignerRequestParams signerRequestParams) Subclass could override this method to perform any additional procedure on the request payload, with access to the result from signing the header.void
setRegionName
(String regionName) Sets the region name that this signer should use when calculating request signatures.void
setServiceName
(String serviceName) Sets the service name that this signer should use when calculating request signatures.protected boolean
shouldExcludeHeaderFromSigning
(String header) void
sign
(SignableRequest<?> request, AWSCredentials credentials) Sign the given request with the given set of credentials.Methods inherited from class com.amazonaws.auth.AbstractAWSSigner
getBinaryRequestPayload, getBinaryRequestPayloadStream, getBinaryRequestPayloadStreamWithoutQueryParams, getBinaryRequestPayloadWithoutQueryParams, getCanonicalizedEndpoint, getCanonicalizedQueryString, getCanonicalizedQueryString, getCanonicalizedResourcePath, getCanonicalizedResourcePath, getRequestPayload, getRequestPayloadWithoutQueryParams, getSignatureDate, getTimeOffset, hash, hash, hash, newString, sanitizeCredentials, sign, sign, signAndBase64Encode, signAndBase64Encode, signWithMac
-
Field Details
-
log
-
serviceName
Service name override for use when the endpoint can't be used to determine the service name. -
regionName
Region name override for use when the endpoint can't be used to determine the region name. -
overriddenDate
Date override for testing only -
doubleUrlEncode
protected boolean doubleUrlEncodeWhether double url-encode the resource path when constructing the canonical request. By default, we enable double url-encoding. TODO: Different sigv4 services seem to be inconsistent on this. So for services that want to suppress this, they should use new AWS4Signer(false).
-
-
Constructor Details
-
AWS4Signer
public AWS4Signer()Construct a new AWS4 signer instance. By default, enable double url-encoding. -
AWS4Signer
public AWS4Signer(boolean doubleUrlEncoding) Construct a new AWS4 signer instance.- Parameters:
doubleUrlEncoding
- Whether double url-encode the resource path when constructing the canonical request.
-
-
Method Details
-
setServiceName
Sets the service name that this signer should use when calculating request signatures. This can almost always be determined directly from the request's end point, so you shouldn't need this method, but it's provided for the edge case where the information is not in the endpoint.- Specified by:
setServiceName
in interfaceServiceAwareSigner
- Parameters:
serviceName
- The service name to use when calculating signatures in this signer.
-
setRegionName
Sets the region name that this signer should use when calculating request signatures. This can almost always be determined directly from the request's end point, so you shouldn't need this method, but it's provided for the edge case where the information is not in the endpoint.- Specified by:
setRegionName
in interfaceRegionAwareSigner
- Parameters:
regionName
- The region name to use when calculating signatures in this signer.
-
getRegionName
Returns the region name that is used when calculating the signature. -
getServiceName
Returns the service name that is used when calculating the signature. -
getOverriddenDate
Returns a copy of date that overrides the signing date in the request. Return null by default. -
sign
Description copied from interface:Signer
Sign the given request with the given set of credentials. Modifies the passed-in request to apply the signature. -
presignRequest
public void presignRequest(SignableRequest<?> request, AWSCredentials credentials, Date userSpecifiedExpirationDate) Description copied from interface:Presigner
Signs the request by adding the signature to the URL rather than as a header. This method is expected to modify the passed-in request to add the signature.- Specified by:
presignRequest
in interfacePresigner
- Parameters:
request
- The request to sign.credentials
- The credentials to sign it with.userSpecifiedExpirationDate
- The time when this presigned URL will expire.
-
createCanonicalRequest
Step 1 of the AWS Signature version 4 calculation. Refer to http://docs.aws .amazon.com/general/latest/gr/sigv4-create-canonical-request.html to generate the canonical request. -
createStringToSign
protected String createStringToSign(String canonicalRequest, com.amazonaws.auth.internal.AWS4SignerRequestParams signerParams) Step 2 of the AWS Signature version 4 calculation. Refer to http://docs.aws .amazon.com/general/latest/gr/sigv4-create-string-to-sign.html. -
computeSignature
protected final byte[] computeSignature(String stringToSign, byte[] signingKey, com.amazonaws.auth.internal.AWS4SignerRequestParams signerRequestParams) Step 3 of the AWS Signature version 4 calculation. It involves deriving the signing key and computing the signature. Refer to http://docs.aws.amazon .com/general/latest/gr/sigv4-calculate-signature.html -
addSessionCredentials
Description copied from class:AbstractAWSSigner
Adds session credentials to the request given.- Specified by:
addSessionCredentials
in classAbstractAWSSigner
- Parameters:
request
- The request to add session credentials information tocredentials
- The session credentials to add to the request
-
getCanonicalizedHeaderString
-
getSignedHeadersString
-
shouldExcludeHeaderFromSigning
-
addHostHeader
-
calculateContentHash
Calculate the hash of the request's payload. Subclass could override this method to provide different values for "x-amz-content-sha256" header or do any other necessary set-ups on the request headers. (e.g. aws-chunked uses a pre-defined header value, and needs to change some headers relating to content-encoding and content-length.) -
processRequestPayload
protected void processRequestPayload(SignableRequest<?> request, byte[] signature, byte[] signingKey, com.amazonaws.auth.internal.AWS4SignerRequestParams signerRequestParams) Subclass could override this method to perform any additional procedure on the request payload, with access to the result from signing the header. (e.g. Signing the payload by chunk-encoding). The default implementation doesn't need to do anything. -
calculateContentHashPresign
Calculate the hash of the request's payload. In case of pre-sign, the existing code would generate the hash of an empty byte array and returns it. This method can be overridden by sub classes to provide different values (e.g) For S3 pre-signing, the content hash calculation is different from the general implementation.
-