对于每一次HTTP或者HTTPS协议请求,我们会根据访问中的签名信息验证访问请求者身份。具体由使用AccessKeyID和AccessKeySecret对称加密验证实现。其中AccessKeyID是访问者身份,AccessKeySecret是加密签名字符串和服务器端验证签名字符串的密钥,必须严格保密谨防泄露。

签名流程

  1. 指定请求参数
    在代码中指定请求参数,参数中需要包含公共请求头和接口必备的参数信息。
    说明 请求参数中不允许出现以Signature为key的参数。
    示例代码如下:
    String accessKeyId = "yourAccessId";
    String accessSecret = "yourAccessSecret";
    java.text.SimpleDateFormat df = new java.text.SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
    df.setTimeZone(new java.util.SimpleTimeZone(0, "GMT"));// 这里一定要设置GMT时区
    java.util.Map<String, String> paras = new java.util.HashMap<String, String>();
    指定参数:
    paras.put("SignatureMethod", "HMAC-SHA1");
    paras.put("SignatureNonce", java.util.UUID.randomUUID().toString());
    paras.put("AccessKeyId", accessKeyId);
    paras.put("SignatureVersion", "1.0");
    paras.put("Timestamp", df.format(new java.util.Date()));
    paras.put("Format", "JSON");
    paras.put("RegionId", "cn-shanghai");
    # API 版本
    paras.put("Version", "2019-09-30");
    # API ACTION
    paras.put("Action", "MakeSuperResolutionImage");
    # 下面是业务参数
    parasput("Url", "http://viapi-demo.oss-cn-shanghai.aliyuncs.com/viapi-demo/images/MakeSuperResolution/sup-dog.png");
    去除签名关键字Key:
    if (paras.containsKey("Signature")) {
    paras.remove("Signature");
    }
  2. 根据参数Key排序(顺序)
    参考代码如下:
    java.util.TreeMap<String, String> sortParas = new java.util.TreeMap<String, String>();
    sortParas.putAll(paras);
  3. 构造待签名的请求串
    首先介绍下面会用到的特殊URL编码,这个是POP特殊的一种规则,即在一般的URLEncode后再增加三种字符替换:
    • 加号 (+)替换成 %20
    • 星号 (*)替换成 %2A
    • %7E 替换回波浪号 (~)
    参考代码如下:
    public static String specialUrlEncode(String value) throws Exception {
        return java.net.URLEncoder.encode(value, "UTF-8").replace("+", "%20").replace("*", "%2A").replace("%7E", "~");
    }    
    构造待签名的请求串,把排序后的参数顺序拼接成如下格式:
    "&" + specialUrlEncode(参数Key) + "=" + specialUrlEncode(参数值)
    参考代码如下:
    java.util.Iterator<String> it = sortParas.keySet().iterator();
    StringBuilder sortQueryStringTmp = new StringBuilder();
    while (it.hasNext()) {
        String key = it.next();
        sortQueryStringTmp.append("&").append(specialUrlEncode(key)).append("=").append(specialUrlEncode(paras.get(key)));
    }
    String sortedQueryString = sortQueryStringTmp.substring(1);// 去除第一个多余的&符号
    打印上面的 sortQueryString。结果如下:
    AccessKeyId=yourAccessId&Action=MakeSuperResolutionImage&Format=JSON&RegionId=cn-shanghai&SignatureMethod=HMAC-SHA1&SignatureNonce=4a816d44-6186-4f7e-a45f-ba1b3ed73aed&SignatureVersion=1.0&Timestamp=2019-12-07T13%3A28%3A52Z&Url=http%3A%2F%2Fviapi-demo.oss-cn-shanghai.aliyuncs.com%2Fviapi-demo%2Fimages%2FMakeSuperResolution%2Fsup-dog.png&Version=2019-09-30
    对应的未URL编码的值(方便用户对比):
    AccessKeyId=yourAccessId&Action=MakeSuperResolutionImage&Format=JSON&RegionId=cn-shanghai&SignatureMethod=HMAC-SHA1&SignatureNonce=4a816d44-6186-4f7e-a45f-ba1b3ed73aed&SignatureVersion=1.0&Timestamp=2019-12-07T13:28:52Z&Url=http://viapi-demo.oss-cn-shanghai.aliyuncs.com/viapi-demo/images/MakeSuperResolution/sup-dog.png&Version=2019-09-30
    按POP的签名规则拼接成最终的待签名串。规则如下:
    HTTPMethod + “&” + specialUrlEncode(“/”) + ”&” + specialUrlEncode(sortedQueryString)
    参考代码如下:
    StringBuilder stringToSign = new StringBuilder();
    stringToSign.append("POST").append("&");
    stringToSign.append(specialUrlEncode("/")).append("&");
    stringToSign.append(specialUrlEncode(sortedQueryString));
    这就完成了待签名的请求字符串。打印结果如下:
    POST&%2F&AccessKeyId%3DyourAccessId&Action%3DMakeSuperResolutionImage&Format%3DJSON&RegionId%3Dcn-shanghai&SignatureMethod%3DHMAC-SHA1&SignatureNonce%3D4a816d44-6186-4f7e-a45f-ba1b3ed73aed&SignatureVersion%3D1.0&Timestamp%3D2019-12-07T13%253A28%253A52Z&Url%3Dhttp%253A%252F%252Fviapi-demo.oss-cn-shanghai.aliyuncs.com%252Fviapi-demo%252Fimages%252FMakeSuperResolution%252Fsup-dog.png&Version%3D2019-09-30
  4. 签名
    签名采用HmacSHA1算法 + Base64,编码采用UTF-8。参考代码如下:
    String sign = sign(accessSecret + "&", stringToSign.toString());
    public static String sign(String accessSecret, String stringToSign) throws Exception {
        javax.crypto.Mac mac = javax.crypto.Mac.getInstance("HmacSHA1");
        mac.init(new javax.crypto.spec.SecretKeySpec(accessSecret.getBytes("UTF-8"), "HmacSHA1"));
        byte[] signData = mac.doFinal(stringToSign.getBytes("UTF-8"));
        return new sun.misc.BASE64Encoder().encode(signData);
    }     
    参数说明:
    • accessSecret
      您的AccessKeyId对应的秘钥AccessSecret。
      说明 POP要求需要后面多加一个“&”字符,即accessSecret + “&”。
    • stringToSign

      第三步生成的待签名请求串。

    签名后的结果打印如下:
    poMnQhB2W5xndjcsW5VZjSdkvnU=
  5. 增加签名结果到请求参数中,发送请求
    String Signature = specialUrlEncode(sign);// poMnQhB2W5xndjcsW5VZjSdkvnU%3D
    说明 签名也要做特殊URL编码。
    最终完整的POST请求HTTP为:
    http://imageenhan.cn-shanghai.aliyuncs.com/?Signature=poMnQhB2W5xndjcsW5VZjSdkvnU%3D&AccessKeyId=yourAccessId&Action=MakeSuperResolutionImage&Format=JSON&RegionId=cn-shanghai&SignatureMethod=HMAC-SHA1&SignatureNonce=4a816d44-6186-4f7e-a45f-ba1b3ed73aed&SignatureVersion=1.0&Timestamp=2019-12-07T13%3A28%3A52Z&Url=http%3A%2F%2Fviapi-demo.oss-cn-shanghai.aliyuncs.com%2Fviapi-demo%2Fimages%2FMakeSuperResolution%2Fsup-dog.png&Version=2019-09-30
  6. JAVA示例
    完整的Java签名Demo代码:
    package com.aliyun.imageenhan.demo;
    import java.net.URI;
    import java.util.HashMap;
    import java.util.Map;
    
    import org.apache.http.HttpEntity;
    import org.apache.http.HttpResponse;
    import org.apache.http.client.HttpClient;
    import org.apache.http.client.methods.HttpPost;
    import org.apache.http.client.utils.URIBuilder;
    import org.apache.http.impl.client.HttpClients;
    import org.apache.http.util.EntityUtils;
    
    public class SignDemo {
        static final String API_HTTP_METHOD = "POST";
        static final String API_VERSION = "2019-09-30";
        static final java.text.SimpleDateFormat DF = new java.text.SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
        public static void main(String[] args) throws Exception {
            String accessKeyId = "yourAccessId";
            String accessSecret = "yourAccessSecret";
            DF.setTimeZone(new java.util.SimpleTimeZone(0, "GMT"));// 这里一定要设置GMT时区
            Map<String, String> params = new HashMap<>();//业务参数名字是大驼峰
            params.put("Url", "http://viapi-demo.oss-cn-shanghai.aliyuncs.com/viapi-demo/images/MakeSuperResolution/sup-dog.png");
            String action = "MakeSuperResolutionImage";
            execute(action, accessKeyId, accessSecret, params);
        }
        public static void execute(String action, String accessKeyId, String accessSecret, Map<String, String> bizParams) throws Exception {
            java.util.Map<String, String> paras = new java.util.HashMap<String, String>();
            // 1. 系统参数
            paras.put("SignatureMethod", "HMAC-SHA1");
            paras.put("SignatureNonce", java.util.UUID.randomUUID().toString());//防止重放攻击
            paras.put("AccessKeyId", accessKeyId);
            paras.put("SignatureVersion", "1.0");
            paras.put("Timestamp", DF.format(new java.util.Date()));
            paras.put("Format", "JSON");
            // 2. 业务API参数
            paras.put("RegionId", "cn-shanghai");
            paras.put("Version", API_VERSION);
            paras.put("Action", action);
            if (bizParams != null && !bizParams.isEmpty()) {
                paras.putAll(bizParams);
            }
            // 3. 去除签名关键字Key
            if (paras.containsKey("Signature")) {
                paras.remove("Signature");
            }
            // 4. 参数KEY排序
            java.util.TreeMap<String, String> sortParas = new java.util.TreeMap<String, String>();
            sortParas.putAll(paras);
            // 5. 构造待签名的字符串
            java.util.Iterator<String> it = sortParas.keySet().iterator();
            StringBuilder sortQueryStringTmp = new StringBuilder();
            StringBuilder sortQueryStringTmp1 = new StringBuilder();
            while (it.hasNext()) {
                String key = it.next();
                sortQueryStringTmp.append("&").append(specialUrlEncode(key)).append("=").append(specialUrlEncode(paras.get(key)));
                sortQueryStringTmp1.append("&").append(key).append("=").append(paras.get(key));
            }
            String sortedQueryString = sortQueryStringTmp.substring(1);// 去除第一个多余的&符号
            StringBuilder stringToSign = new StringBuilder();
            stringToSign.append(API_HTTP_METHOD).append("&");
            stringToSign.append(specialUrlEncode("/")).append("&");
            stringToSign.append(specialUrlEncode(sortedQueryString));
            String sign = sign(accessSecret + "&", stringToSign.toString());
            // 6. 签名最后也要做特殊URL编码
            String signature = specialUrlEncode(sign);
            System.out.println(paras.get("SignatureNonce"));
            System.out.println("\r\n=========\r\n");
            System.out.println(paras.get("Timestamp"));
            System.out.println("\r\n=========\r\n");
            System.out.println(sortedQueryString);
            System.out.println("\r\n=========\r\n");
            System.out.println(stringToSign.toString());
            System.out.println("\r\n=========\r\n");
            System.out.println(sign);
            System.out.println("\r\n=========\r\n");
            System.out.println(signature);
            System.out.println("\r\n=========\r\n");
            // 最终打印出合法请求的URL
            System.out.println("http://imageenhan.cn-shanghai.aliyuncs.com/?Signature=" + signature + sortQueryStringTmp);
    
            // 添加直接做post请求的方法
            try {
                // 使用生成的 URL 创建POST请求
                URIBuilder builder = new URIBuilder("http://imageenhan.cn-shanghai.aliyuncs.com/?Signature=" + signature + sortQueryStringTmp);
                URI uri = builder.build();
                HttpPost request = new HttpPost(uri);
                HttpClient httpclient = HttpClients.createDefault();
                HttpResponse response = httpclient.execute(request);
                HttpEntity entity = response.getEntity();
                if (entity != null) {
                    System.out.println(EntityUtils.toString(entity));
                }
            } catch (Exception e) {
                System.out.println(e.getMessage());
            }
        }
        public static String specialUrlEncode(String value) throws Exception {
            return java.net.URLEncoder.encode(value, "UTF-8").replace("+", "%20").replace("*", "%2A").replace("%7E", "~");
        }
        public static String sign(String accessSecret, String stringToSign) throws Exception {
            javax.crypto.Mac mac = javax.crypto.Mac.getInstance("HmacSHA1");
            mac.init(new javax.crypto.spec.SecretKeySpec(accessSecret.getBytes("UTF-8"), "HmacSHA1"));
            byte[] signData = mac.doFinal(stringToSign.getBytes("UTF-8"));
            return new sun.misc.BASE64Encoder().encode(signData);
        }
    }