Start line:  
End line:  

Snippet Preview

Snippet HTML Code

Stack Overflow Questions
  /*
   * Copyright 2013-2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
   *
   * Licensed under the Apache License, Version 2.0 (the "License").
   * You may not use this file except in compliance with the License.
   * A copy of the License is located at
   *
   *  http://aws.amazon.com/apache2.0
   *
  * or in the "license" file accompanying this file. This file is distributed
  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
  * express or implied. See the License for the specific language governing
  * permissions and limitations under the License.
  */
 package com.amazonaws.services.cloudfront;
 
 import static com.amazonaws.util.StringUtils.UTF8;
 import static java.util.concurrent.TimeUnit.MILLISECONDS;
 
 import java.io.File;
 import java.util.Date;
 
 
 // The source code originated from the .NET implementation at
 // https://github.com/aws/aws-sdk-net/blob/master/AWSSDK_DotNet35/Amazon.CloudFront/AmazonCloudFrontUrlSigner.cs
Utility class for generating pre-signed URLs for serving private cloudfront content. All dates must be in UTC. Use java.util.Calendar to set the timezone specifically before converting to a java.util.Date object, or else use com.amazonaws.util.DateUtils to turn a UTC date String into a Date object.
 Protocol protocol = Protocol.http;
 String distributionDomain = "d1b2c3a4g5h6.cloudfront.net";
 File privateKeyFile = new File("/path/to/cfcurlCloud/rsa-private-key.pem");
 String s3ObjectKey = "/a/b/images.jpeg";
 String keyPairId = "APKAJCEOKRHC3XIVU5NA";
 Date dateLessThan = DateUtils.parseIso8601Date("2012-11-14T22:20:00.000Z");
 Date dateGreaterThan = DateUtils.parseIso8601Date("2011-11-14T22:20:00.000Z")
 String ipRange = "192.168.0.1/24";
 
 String url1 = CloudFrontUrlSigner.getCannedSignedURL(protocol, distributionDomain, privateKeyFile,
              s3ObjectKey, keyPairId, dateLessThan);
      
 String url2 = CloudFrontUrlSigner.getCustomSignedURL(protocol, distributionDomain, privateKeyFile,
              s3ObjectKey, keyPairId, dateLessThan, dateGreaterThan, ipRange);
 

 
 public enum CloudFrontUrlSigner {
     ;
     private static final SecureRandom srand = new SecureRandom();
    
Enumeration of protocols for presigned URLs
 
     public static enum Protocol {
         http, https, rtmp
     }

    
Returns a signed URL with a canned policy that grants universal access to private content until a given date. For more information, see Overview of Signed URLs.

Parameters:
protocol The protocol of the URL
distributionDomain The domain name of the distribution
s3ObjectKey The s3 key of the object, or the name of the stream for rtmp
privateKeyFile The private key file. RSA private key (.pem) and pkcs8 (.der) files are supported.
keyPairId The key pair id corresponding to the private key file given
dateLessThan The expiration date of the signed URL in UTC
Returns:
The signed URL.
    public static String getSignedURLWithCannedPolicy(final Protocol protocol,
                                            final String distributionDomain,
                                            final File privateKeyFile,
                                            final String s3ObjectKey,
                                            final String keyPairId,
                                            final Date dateLessThan
            throws InvalidKeySpecExceptionIOException {
        final String resourcePath = generateResourcePath(protocoldistributionDomains3ObjectKey);
        PrivateKey privateKey = loadPrivateKey(privateKeyFile);
        return getSignedURLWithCannedPolicy(resourcePathkeyPairIdprivateKeydateLessThan);
    }

    
Returns a signed URL that provides tailored access to private content based on an access time window and an ip range. For more information, see Overview of Signed URLs.

Parameters:
protocol The protocol of the URL
distributionDomain The domain name of the distribution
privateKeyFile Your private key file. RSA private key (.pem) and pkcs8 (.der) files are supported.
s3ObjectKey The s3 key of the object, or the name of the stream for rtmp
keyPairId The key pair id corresponding to the private key file given
dateLessThan The expiration date of the signed URL in UTC
dateGreaterThan The beginning valid date of the signed URL in UTC
ipRange The allowed IP address range of the client making the GET request, in CIDR form (e.g. 192.168.0.1/24).
Returns:
The signed URL.
Throws:
java.io.IOException
java.security.spec.InvalidKeySpecException
    public static String getSignedURLWithCustomPolicy(final Protocol protocol,
                                            final String distributionDomain,
                                            final File privateKeyFile,
                                            final String s3ObjectKey,
                                            final String keyPairId,
                                            final Date dateLessThan,
                                            final Date dateGreaterThan,
                                            final String ipRange
            throws InvalidKeySpecExceptionIOException {
        PrivateKey privateKey = loadPrivateKey(privateKeyFile);
        final String resourcePath = generateResourcePath(protocoldistributionDomains3ObjectKey);
        String policy = buildCustomPolicyForSignedUrl(resourcePathdateLessThanipRangedateGreaterThan);
        return getSignedURLWithCustomPolicy(resourcePathkeyPairIdprivateKeypolicy);
    }

    
Generate a signed URL that allows access to distribution and S3 objects by applying access restrictions specified in a custom policy document. For more information, see Overview of Signed URLs.

Parameters:
resourceUrlOrPath The URL or path that uniquely identifies a resource within a distribution. For standard distributions the resource URL will be "http://" + distributionName + "/" + objectKey (may also include URL parameters. For distributions with the HTTPS required protocol, the resource URL must start with "https://". RTMP resources do not take the form of a URL, and instead the resource path is nothing but the stream's name.
keyPairId Identifier of a public/private certificate keypair already configured in your Amazon Web Services account.
privateKey The RSA private key data that corresponding to the certificate keypair identified by keyPairId.
policy A policy document that describes the access permissions that will be applied by the signed URL. To generate a custom policy use
Returns:
A signed URL that will permit access to distribution and S3 objects as specified in the policy document.
    public static String getSignedURLWithCustomPolicy(String resourceUrlOrPath,
            String keyPairIdPrivateKey privateKeyString policy) {
        try {
            byte[] signatureBytes = signWithSha1RSA(
                    policy.getBytes(), privateKey);
            String urlSafePolicy = makeStringUrlSafe(policy);
            String urlSafeSignature = makeBytesUrlSafe(signatureBytes);
            String signedUrl = resourceUrlOrPath
                    + (resourceUrlOrPath.indexOf('?') >= 0 ? "&" : "?")
                    + "Policy=" + urlSafePolicy 
                    + "&Signature=" + urlSafeSignature 
                    + "&Key-Pair-Id=" + keyPairId
                    ;
            return signedUrl;
        } catch (InvalidKeyException e) {
            throw new AmazonClientException("Coudln't sign url"e);
        }
    }

    
Generate a signed URL that allows access to a specific distribution and S3 object by applying a access restrictions from a "canned" (simplified) policy document. For more information, see Overview of Signed URLs.

Parameters:
resourceUrlOrPath The URL or path that uniquely identifies a resource within a distribution. For standard distributions the resource URL will be "http://" + distributionName + "/" + objectKey (may also include URL parameters. For distributions with the HTTPS required protocol, the resource URL must start with "https://". RTMP resources do not take the form of a URL, and instead the resource path is nothing but the stream's name.
keyPairId Identifier of a public/private certificate keypair already configured in your Amazon Web Services account.
privateKey The private key data that corresponding to the keypair identified by keyPairId
dateLessThan The UTC time and date when the signed URL will expire. REQUIRED.
Returns:
A signed URL that will permit access to a specific distribution and S3 object.
    public static String getSignedURLWithCannedPolicy(String resourceUrlOrPath,
                                       String keyPairId,
                                       PrivateKey privateKey,
                                       Date dateLessThan) {
        try {
            String cannedPolicy = buildCannedPolicy(resourceUrlOrPathdateLessThan);
            byte[] signatureBytes = signWithSha1RSA(cannedPolicy.getBytes(), privateKey);
            String urlSafeSignature = makeBytesUrlSafe(signatureBytes);
            String signedUrl = resourceUrlOrPath 
                             + (resourceUrlOrPath.indexOf('?') >= 0 ? "&" : "?"
                             + "Expires=" + .toSeconds(dateLessThan.getTime()) 
                             + "&Signature=" + urlSafeSignature 
                             + "&Key-Pair-Id=" + keyPairId
                             ;
            return signedUrl;
        } catch ( InvalidKeyException e ) {
            throw new AmazonClientException("Couldn't sign url"e);
        }
    }

    
Generate a policy document that describes custom access permissions to apply via a private distribution's signed URL.

Parameters:
resourcePath An optional HTTP/S or RTMP resource path that restricts which distribution and S3 objects will be accessible in a signed URL. For standard distributions the resource URL will be "http://" + distributionName + "/" + objectKey (may also include URL parameters. For distributions with the HTTPS required protocol, the resource URL must start with "https://". RTMP resources do not take the form of a URL, and instead the resource path is nothing but the stream's name. The '*' and '?' characters can be used as a wildcards to allow multi-character or single-character matches respectively:
  • * : All distributions/objects will be accessible
  • a1b2c3d4e5f6g7.cloudfront.net/* : All objects within the distribution a1b2c3d4e5f6g7 will be accessible
  • a1b2c3d4e5f6g7.cloudfront.net/path/to/object.txt : Only the S3 object named path/to/object.txt in the distribution a1b2c3d4e5f6g7 will be accessible.
If this parameter is null the policy will permit access to all distributions and S3 objects associated with the certificate keypair used to generate the signed URL.
epochDateLessThan The UTC time and date when the signed URL will expire. REQUIRED.
limitToIpAddressCIDR An optional range of client IP addresses that will be allowed to access the distribution, specified as a CIDR range. If null, the CIDR will be 0.0.0.0/0 and any client will be permitted.
epochDateGreaterThan An optional UTC time and date when the signed URL will become active. If null, the signed URL will be active as soon as it is created.
Returns:
A policy document describing the access permission to apply when generating a signed URL.
    public static String buildCustomPolicyForSignedUrl(String resourcePath,
                                                 Date epochDateLessThan,
                                                 String limitToIpAddressCIDR,
                                                 Date epochDateGreaterThan) {
        if ( epochDateLessThan == null ) {
            throw new AmazonClientException("epochDateLessThan must be provided to sign CloudFront URLs");
        }
        if ( resourcePath == null ) {
            resourcePath = "*";
        }
        String ipAddress = (limitToIpAddressCIDR == null 
                         ? "0.0.0.0/0" // No IP restriction
                         : limitToIpAddressCIDR)
                         ;
        return buildCustomPolicy(resourcePathepochDateLessThan,
                epochDateGreaterThanipAddress);
    }

    
Returns a custom policy for the given parameters.
    static String buildCustomPolicy(String resourcePath,
            Date epochDateLessThanDate epochDateGreaterThanString ipAddress) {
        return "{\"Statement\": [{"
                + "\"Resource\":\""
                + resourcePath
                + "\""
                + ",\"Condition\":{"
                + "\"DateLessThan\":{\"AWS:EpochTime\":"
                + .toSeconds(epochDateLessThan.getTime())
                + "}"
                + ",\"IpAddress\":{\"AWS:SourceIp\":\""
                + ipAddress
                + "\"}"
                + (epochDateGreaterThan == null 
                   ? "" 
                   : ",\"DateGreaterThan\":{\"AWS:EpochTime\":" 
                     + .toSeconds(epochDateGreaterThan.getTime()) + "}"
                  )
                + "}}]}";
    }

    
Returns a "canned" policy for the given parameters. For more information, see Overview of Signed URLs.
    static String buildCannedPolicy(String resourceUrlOrPath,
            Date dateLessThan) {
        return "{\"Statement\":[{\"Resource\":\""
                + resourceUrlOrPath
                + "\",\"Condition\":{\"DateLessThan\":{\"AWS:EpochTime\":"
                + .toSeconds(dateLessThan.getTime())
                + "}}}]}";
    }

    
Converts the given data to be safe for use in signed URLs for a private distribution by using specialized Base64 encoding.
    static String makeBytesUrlSafe(byte[] bytes) {
        byte[] encoded = Base64.encode(bytes);
        for (int i=0; i < encoded.lengthi++) {
            switch(encoded[i]) {
                case '+':
                    encoded[i] = '-'continue;
                case '=':
                    encoded[i] = '_'continue;
                case '/':
                    encoded[i] = '~'continue;
                default:
                    continue;
            }
        }
        return new String(encoded);
    }

    
Converts the given string to be safe for use in signed URLs for a private distribution.
    private static String makeStringUrlSafe(String str) {
        return makeBytesUrlSafe(str.getBytes(.));
    }

    
Returns the resource path for the given distribution, object, and protocol.
    private static String generateResourcePath(final Protocol protocol,
            final String distributionDomainfinal String s3ObjectKey) {
        return protocol == . || protocol == .
             ? protocol + "://" + distributionDomain + "/" + s3ObjectKey
             : s3ObjectKey
             ;
    }

    
Creates a private key from the file given, either in RSA private key (.pem) or pkcs8 (.der) format. Other formats will cause an exception to be thrown.
    static PrivateKey loadPrivateKey(File privateKeyFilethrows InvalidKeySpecExceptionIOException {
        if ( privateKeyFile.getAbsolutePath().toLowerCase().endsWith(".pem") ) {
            InputStream is = new FileInputStream(privateKeyFile);
            try {
                return PEM.readPrivateKey(is);
            } finally {
                try {is.close();} catch(IOException ignore) {}
            }
        } else if ( privateKeyFile.getAbsolutePath().toLowerCase().endsWith(".der") ) {
            InputStream is = new FileInputStream(privateKeyFile);
            try {
                return RSA.privateKeyFromPKCS8(IOUtils.toByteArray(is));
            } finally {
                try {is.close();} catch(IOException ignore) {}
            }
        } else {
            throw new AmazonClientException("Unsupported file type for private key");
        }
    }

    
Signs the data given with the private key given, using the SHA1withRSA algorithm provided by bouncy castle.
    private static byte[] signWithSha1RSA(byte[] dataToSign,
            PrivateKey privateKeythrows InvalidKeyException {
        Signature signature;
        try {
            signature = Signature.getInstance("SHA1withRSA");
            signature.initSign(privateKey);
            signature.update(dataToSign);
            return signature.sign();
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException(e);
        } catch (SignatureException e) {
            throw new IllegalStateException(e);
        }
    }
New to GrepCode? Check out our FAQ X