全部产品
云市场

请求签名

更新时间:2019-10-13 10:18:05

对于每一次HTTP或者HTTPS协议请求,我们会根据访问中的签名信息验证访问请求者身份。具体由使用AccessKeyID和AccessKeySecret对称加密验证实现。其中AccessKeyID是访问者身份,AccessKeySecret是加密签名字符串和服务器端验证签名字符串的密钥,必须严格保密谨防泄露。

1. 指定请求参数

在代码中指定请求参数,参数中需要包含公共请求头和接口必备的参数信息。

说明 请求参数中不允许出现以Signature为key的参数。
示例代码如下:

  1. String accessKeyId = "yourAccessId";
  2. String accessSecret = "yourAccessSecret";
  3. java.text.SimpleDateFormat df = new java.text.SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
  4. df.setTimeZone(new java.util.SimpleTimeZone(0, "GMT"));// 这里一定要设置GMT时区
  5. java.util.Map<String, String> paras = new java.util.HashMap<String, String>();

指定参数:

  1. paras.put("SignatureMethod", "HMAC-SHA1");
  2. paras.put("SignatureNonce", java.util.UUID.randomUUID().toString());
  3. paras.put("AccessKeyId", accessKeyId);
  4. paras.put("SignatureVersion", "1.0");
  5. paras.put("Timestamp", df.format(new java.util.Date()));
  6. paras.put("Format", "JSON");
  7. paras.put("RegionId", "cn-shanghai");
  8. # API 版本
  9. paras.put("Version", "2019-06-25");
  10. # API ACTION
  11. paras.put("Action", "SegmentImage");
  12. # 下面是业务参数
  13. paras.put("Url", "http://vigen-invi-cdn.alibaba.com/aliyun-doc/pop/images/segment-image-src.jpg");

去除签名关键字Key:

  1. if (paras.containsKey("Signature")) {
  2. paras.remove("Signature");
  3. }

2. 根据参数Key排序(顺序)

参考代码如下:

  1. java.util.TreeMap<String, String> sortParas = new java.util.TreeMap<String, String>();
  2. .sortParas.putAll(paras);

3. 构造待签名的请求串

首先介绍下面会用到的特殊URL编码这个是POP特殊的一种规则,即在一般的URLEncode后再增加三种字符替换:加号 (+)替换成 %20、星号 (*)替换成 %2A%7E 替换回波浪号 (~)参考代码如下:

  1. public static String specialUrlEncode(String value) throws Exception {
  2. return java.net.URLEncoder.encode(value, "UTF-8").replace("+", "%20").replace("*", "%2A").replace("%7E", "~");
  3. }

构造待签名的请求串:
把排序后的参数顺序拼接成如下格式:

  1. "&" + specialUrlEncode(参数Key) + "=" + specialUrlEncode(参数值)

参考代码如下:

  1. java.util.Iterator<String> it = sortParas.keySet().iterator();
  2. StringBuilder sortQueryStringTmp = new StringBuilder();
  3. while (it.hasNext()) {
  4. String key = it.next();
  5. sortQueryStringTmp.append("&").append(specialUrlEncode(key)).append("=").append(specialUrlEncode(paras.get(key)));
  6. }
  7. String sortedQueryString = sortQueryStringTmp.substring(1);// 去除第一个多余的&符号

打印上面的 sortQueryString。结果如下:

  1. AccessKeyId=yourAccessId&Action=SegmentImage&Format=JSON&RegionId=cn-shanghai&SignatureMethod=HMAC-SHA1&SignatureNonce=3ed0a494-421e-4979-ab1e-f0e28072795a&SignatureVersion=1.0&Timestamp=2019-10-13T01%3A28%3A40Z&Url=http%3A%2F%2Fvigen-invi-cdn.alibaba.com%2Faliyun-doc%2Fpop%2Fimages%2Fsegment-image-src.jpg&Version=2019-06-25

对应的未URL编码的值(方便用户对比):

  1. AccessKeyId=yourAccessId&Action=SegmentImage&Format=JSON&RegionId=cn-shanghai&SignatureMethod=HMAC-SHA1&SignatureNonce=3ed0a494-421e-4979-ab1e-f0e28072795a&SignatureVersion=1.0&Timestamp=2019-10-13T01:28:40Z&Url=http://vigen-invi-cdn.alibaba.com/aliyun-doc/pop/images/segment-image-src.jpg&Version=2019-06-25

按POP的签名规则拼接成最终的待签名串。规则如下:

  1. HTTPMethod + “&” + specialUrlEncode(“/”) + ”&” + specialUrlEncode(sortedQueryString)

参考代码如下:

  1. StringBuilder stringToSign = new StringBuilder();
  2. stringToSign.append("GET").append("&");
  3. stringToSign.append(specialUrlEncode("/")).append("&");
  4. stringToSign.append(specialUrlEncode(sortedQueryString));

这就完成了待签名的请求字符串。打印结果如下:

  1. POST&%2F&AccessKeyId%3DyourAccessId%26Action%3DSegmentImage%26Format%3DJSON%26RegionId%3Dcn-shanghai%26SignatureMethod%3DHMAC-SHA1%26SignatureNonce%3D39720f7f-373c-4b7c-9ec8-520fdc51741f%26SignatureVersion%3D1.0%26Timestamp%3D2019-10-13T02%253A15%253A41Z%26Url%3Dhttp%253A%252F%252Fvigen-invi-cdn.alibaba.com%252Faliyun-doc%252Fpop%252Fimages%252Fsegment-image-src.jpg%26Version%3D2019-06-25

4. 签名

签名采用HmacSHA1算法 + Base64,编码采用UTF-8。参考代码如下:

  1. String sign = sign(accessSecret + "&", stringToSign.toString());
  2. public static String sign(String accessSecret, String stringToSign) throws Exception {
  3. javax.crypto.Mac mac = javax.crypto.Mac.getInstance("HmacSHA1");
  4. mac.init(new javax.crypto.spec.SecretKeySpec(accessSecret.getBytes("UTF-8"), "HmacSHA1"));
  5. byte[] signData = mac.doFinal(stringToSign.getBytes("UTF-8"));
  6. return new sun.misc.BASE64Encoder().encode(signData);
  7. }

参数说明:

  1. accessSecret:你的AccessKeyId对应的秘钥AccessSecret,特别说明:POP要求需要后面多加一个“&”字符,即accessSecret + “&”
  2. stringToSign:即第三步生成的待签名请求串

签名后的结果打印如下:

  1. sEl89yBxH69oSz52bM0S7rLc0vM=

5. 增加签名结果到请求参数中,发送请求

说明 签名也要做特殊URL编码。

  1. String Signature = specialUrlEncode(sign);// sEl89yBxH69oSz52bM0S7rLc0vM%3D

最终完整的POST请求HTTP为:

  1. http://ivpd.cn-shanghai.aliyuncs.com/?Signature=sEl89yBxH69oSz52bM0S7rLc0vM%3D&AccessKeyId=yourAccessId&Action=SegmentImage&Format=JSON&RegionId=cn-shanghai&SignatureMethod=HMAC-SHA1&SignatureNonce=39720f7f-373c-4b7c-9ec8-520fdc51741f&SignatureVersion=1.0&Timestamp=2019-10-13T02%3A15%3A41Z&Url=http%3A%2F%2Fvigen-invi-cdn.alibaba.com%2Faliyun-doc%2Fpop%2Fimages%2Fsegment-image-src.jpg&Version=2019-06-25

最后发起请求示例:

](http://public-vigen-invi-zb.oss-cn-zhangjiakou.aliyuncs.com/aliyun-doc/pop/images/HTTP-REST-DOC.jpg

JAVA示例

完整的Java签名Demo代码:

  1. package com.aliyun.aic.demo;
  2. import java.util.HashMap;
  3. import java.util.Map;
  4. public class SignDemo {
  5. static final String API_HTTP_METHOD = "POST";
  6. static final String API_VERSION = "2019-06-25";
  7. static final java.text.SimpleDateFormat DF = new java.text.SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
  8. public static void main(String[] args) throws Exception {
  9. String accessKeyId = "yourAccessId";
  10. String accessSecret = "yourAccessSecret";
  11. DF.setTimeZone(new java.util.SimpleTimeZone(0, "GMT"));// 这里一定要设置GMT时区
  12. Map<String, String> params = new HashMap<>();//业务参数名字是大驼峰
  13. params.put("Url", "http://vigen-invi-cdn.alibaba.com/aliyun-doc/pop/images/segment-image-src.jpg");
  14. String action = "SegmentImage";
  15. execute(action, accessKeyId, accessSecret, params);
  16. }
  17. public static void execute(String action, String accessKeyId, String accessSecret, Map<String, String> bizParams) throws Exception {
  18. java.util.Map<String, String> paras = new java.util.HashMap<String, String>();
  19. // 1. 系统参数
  20. paras.put("SignatureMethod", "HMAC-SHA1");
  21. paras.put("SignatureNonce", java.util.UUID.randomUUID().toString());//防止重放攻击
  22. paras.put("AccessKeyId", accessKeyId);
  23. paras.put("SignatureVersion", "1.0");
  24. paras.put("Timestamp", DF.format(new java.util.Date()));
  25. paras.put("Format", "JSON");
  26. // 2. 业务API参数
  27. paras.put("RegionId", "cn-shanghai");
  28. paras.put("Version", API_VERSION);
  29. paras.put("Action", action);
  30. if (bizParams != null && !bizParams.isEmpty()) {
  31. paras.putAll(bizParams);
  32. }
  33. // 3. 去除签名关键字Key
  34. if (paras.containsKey("Signature")) {
  35. paras.remove("Signature");
  36. }
  37. // 4. 参数KEY排序
  38. java.util.TreeMap<String, String> sortParas = new java.util.TreeMap<String, String>();
  39. sortParas.putAll(paras);
  40. // 5. 构造待签名的字符串
  41. java.util.Iterator<String> it = sortParas.keySet().iterator();
  42. StringBuilder sortQueryStringTmp = new StringBuilder();
  43. while (it.hasNext()) {
  44. String key = it.next();
  45. sortQueryStringTmp.append("&").append(specialUrlEncode(key)).append("=").append(specialUrlEncode(paras.get(key)));
  46. }
  47. String sortedQueryString = sortQueryStringTmp.substring(1);// 去除第一个多余的&符号
  48. StringBuilder stringToSign = new StringBuilder();
  49. stringToSign.append(API_HTTP_METHOD).append("&");
  50. stringToSign.append(specialUrlEncode("/")).append("&");
  51. stringToSign.append(specialUrlEncode(sortedQueryString));
  52. String sign = sign(accessSecret + "&", stringToSign.toString());
  53. // 6. 签名最后也要做特殊URL编码
  54. String signature = specialUrlEncode(sign);
  55. System.out.println(paras.get("SignatureNonce"));
  56. System.out.println("\r\n=========\r\n");
  57. System.out.println(paras.get("Timestamp"));
  58. System.out.println("\r\n=========\r\n");
  59. System.out.println(sortedQueryString);
  60. System.out.println("\r\n=========\r\n");
  61. System.out.println(stringToSign.toString());
  62. System.out.println("\r\n=========\r\n");
  63. System.out.println(sign);
  64. System.out.println("\r\n=========\r\n");
  65. System.out.println(signature);
  66. System.out.println("\r\n=========\r\n");
  67. // 最终打印出合法请求的URL
  68. System.out.println("http://ivpd.cn-shanghai.aliyuncs.com/?Signature=" + signature + sortQueryStringTmp);
  69. }
  70. public static String specialUrlEncode(String value) throws Exception {
  71. return java.net.URLEncoder.encode(value, "UTF-8").replace("+", "%20").replace("*", "%2A").replace("%7E", "~");
  72. }
  73. public static String sign(String accessSecret, String stringToSign) throws Exception {
  74. javax.crypto.Mac mac = javax.crypto.Mac.getInstance("HmacSHA1");
  75. mac.init(new javax.crypto.spec.SecretKeySpec(accessSecret.getBytes("UTF-8"), "HmacSHA1"));
  76. byte[] signData = mac.doFinal(stringToSign.getBytes("UTF-8"));
  77. return new sun.misc.BASE64Encoder().encode(signData);
  78. }
  79. }