GAE 应用程序需要创建 Google Cloud Storage 的过期签名 URL [英] GAE Application needing to create Expiring Signed URL's to Google Cloud Storage
本文介绍了GAE 应用程序需要创建 Google Cloud Storage 的过期签名 URL的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我成功地创建了一个独立的 Java 应用程序,该应用程序创建了 Google Cloud Storage 中资产的到期签名 URL.但是,我一直没有成功弄清楚如何通过 AppEngine 创建这些相同资产的到期签名 URL.
I was successfully able to create a stand-alone Java Application that creates Expiring Signed URL's to assets sitting in Google Cloud Storage. However, I have been unsuccessful in figuring out how to create Expiring Signed URL's to these same assets through AppEngine.
如何创建可返回给客户端应用程序的 Google Cloud Storage Assets 的到期签名 URL?
How can I create a Expiring Signed URL to Google Cloud Storage Assets that I can return to client applications?
这是我的 Java 应用程序:
Here is my Java Application that works:
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URLEncoder;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.UnrecoverableKeyException;
import java.util.Calendar;
import org.apache.commons.codec.binary.Base64;
public class GCSSignedURL {
public static void main(String[] args) throws Exception {
final String googleAccessId = "XXXXXXXXXXXX@developer.gserviceaccount.com";
final String keyFile = "D:\XXXXXXXXXXXXXXXXXXXXXXXXXXXXX-privatekey.p12";
final String keyPassword = "notasecret";
Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.MINUTE, 30);
String httpVerb = "GET";
String contentMD5 = "";
String contentType = "";
long expiration = calendar.getTimeInMillis();
String canonicalizedExtensionHeaders = "";
String canonicalizedResource = "/myproj/foo.txt";
String stringToSign =
httpVerb + "
" +
contentMD5 + "
" +
contentType + "
" +
expiration + "
" +
canonicalizedExtensionHeaders +
canonicalizedResource;
PrivateKey pkcsKey = loadKeyFromPkcs12(keyFile, keyPassword.toCharArray());
String signature = signData(pkcsKey, stringToSign);
String baseURL = "https://storage.cloud.google.com/myproj/foo.txt";
String urlEncodedSignature = URLEncoder.encode(signature, "UTF-8");
String url = baseURL + "?GoogleAccessId=" + googleAccessId + "&Expires=" + expiration + "&Signature=" + urlEncodedSignature;
System.out.println(url);
}
private static PrivateKey loadKeyFromPkcs12(String filename, char[] password)
throws Exception {
FileInputStream fis = new FileInputStream(filename);
KeyStore ks = KeyStore.getInstance("PKCS12");
try {
ks.load(fis, password);
} catch (IOException e) {
if (e.getCause() != null
&& e.getCause() instanceof UnrecoverableKeyException) {
System.err.println("Incorrect password");
}
throw e;
}
return (PrivateKey) ks.getKey("privatekey", password);
}
private static String signData(PrivateKey key, String data)
throws Exception {
Signature signer = Signature.getInstance("SHA256withRSA");
signer.initSign(key);
signer.update(data.getBytes("UTF-8"));
byte[] rawSignature = signer.sign();
String encodedSignature = new String(Base64.encodeBase64(rawSignature,
false), "UTF-8");
return encodedSignature;
}
}
这是我尝试过的:
public String signUrl(Long _songId, String _format) throws ResourceNotFoundException
{
final String googleAccessId = "XXXXXXXXXXXXXXXXXX@developer.gserviceaccount.com";
AppIdentityService service = AppIdentityServiceFactory.getAppIdentityService();
Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.MINUTE, 5);
String httpVerb = "GET";
String contentMD5 = "";
String contentType = "";
long expiration = calendar.getTimeInMillis();
String canonicalizedExtensionHeaders = "";
String canonicalizedResource = "/myproj/foo.txt";
String stringToSign =
httpVerb + "
" +
contentMD5 + "
" +
contentType + "
" +
expiration + "
" +
canonicalizedExtensionHeaders +
canonicalizedResource;
SigningResult key = service.signForApp(stringToSign.getBytes());
String baseURL = "https://storage.cloud.google.com/myproj/foo.txt";
String encodedUrl = baseURL + "?GoogleAccessId=" + googleAccessId + "&Expires=" + expiration
+ "&Signature=" + key.getKeyName();
return encodedUrl;
}
结果是一个即将过期的 URL,但要求我使用我的 google 电子邮件/密码进行身份验证,因此签名无法正常工作.
The result is an expiring URL but requires me to authenticate with my google email / password so the signing isn't working properly.
我最终能够使用 Fabio 的建议生成一个编码的 URL,但是,我现在得到:
I was able to finally generate an encoded URL using Fabio's suggestion, however, I now get:
<?xml version="1.0" encoding="UTF-8"?>
-<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated
does not match the signature you provided. Check your Google secret key and signing
method.</Message>
<StringToSign>
GET 1374729586 /[my_bucket]/[my_folder]/file.png</StringToSign>
</Error>
我用来生成 URL 的代码是:
The code I am using to generate the URL is:
AppIdentityService service = AppIdentityServiceFactory.getAppIdentityService();
final String googleAccessId = service.getServiceAccountName();
String url = songUrl(_songId, _format);
Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.MINUTE, 10);
String httpVerb = "GET";
String contentMD5 = "";
String contentType = "";
long expiration = calendar.getTimeInMillis()/1000L;
String canonicalizedExtensionHeaders = "";
String canonicalizedResource = "/[my_bucket]/[my_folder]/file.png";
String stringToSign =
httpVerb + "
" +
contentMD5 + "
" +
contentType + "
" +
expiration + "
" +
canonicalizedExtensionHeaders +
canonicalizedResource;
try
{
String baseURL = http://[my_bucket].commondatastorage.googleapis.com/[my_folder]/file.png;
SigningResult signingResult = service.signForApp(stringToSign.getBytes());
String encodedSignature = new String(Base64.encodeBase64(signingResult.getSignature(), false), "UTF-8");
String encodedUrl = baseURL + "?GoogleAccessId=" + googleAccessId + "&Expires=" + expiration
+ "&Signature=" + encodedSignature;
return encodedUrl;
}
catch (UnsupportedEncodingException e)
{
throw new ResourceNotFoundException("Unable to encode URL. Unsupported encoding exception.", e);
}
推荐答案
两件事:
对于 googleAccessId 使用:
String googleAccessId = service.getServiceAccountName();
对于签名使用:
SigningResult signingResult = service
.signForApp(stringToSign.getBytes());
String encodedSignature = new String(Base64.encodeBase64(
signingResult.getSignature(), false), "UTF-8");
这对我有用.请参阅下面的示例签名者类:
That's what worked for me. See below a sample signer class:
public class GcsAppIdentityServiceUrlSigner {
private static final int EXPIRATION_TIME = 5;
private static final String BASE_URL = "https://storage.googleapis.com";
private static final String BUCKET = "my_bucket";
private static final String FOLDER = "folder";
private final AppIdentityService identityService = AppIdentityServiceFactory.getAppIdentityService();
public String getSignedUrl(final String httpVerb, final String fileName) throws Exception {
final long expiration = expiration();
final String unsigned = stringToSign(expiration, fileName, httpVerb);
final String signature = sign(unsigned);
return new StringBuilder(BASE_URL).append("/")
.append(BUCKET)
.append("/")
.append(FOLDER)
.append("/")
.append(fileName)
.append("?GoogleAccessId=")
.append(clientId())
.append("&Expires=")
.append(expiration)
.append("&Signature=")
.append(URLEncoder.encode(signature, "UTF-8")).toString();
}
private static long expiration() {
final long unitMil = 1000l;
final Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.MINUTE, EXPIRATION_TIME);
final long expiration = calendar.getTimeInMillis() / unitMil;
return expiration;
}
private String stringToSign(final long expiration, String filename, String httpVerb) {
final String contentType = "";
final String contentMD5 = "";
final String canonicalizedExtensionHeaders = "";
final String canonicalizedResource = "/" + BUCKET + "/" + FOLDER + "/" + filename;
final String stringToSign = httpVerb + "
" + contentMD5 + "
" + contentType + "
"
+ expiration + "
" + canonicalizedExtensionHeaders + canonicalizedResource;
return stringToSign;
}
protected String sign(final String stringToSign) throws UnsupportedEncodingException {
final SigningResult signingResult = identityService
.signForApp(stringToSign.getBytes());
final String encodedSignature = new String(Base64.encodeBase64(
signingResult.getSignature(), false), "UTF-8");
return encodedSignature;
}
protected String clientId() {
return identityService.getServiceAccountName();
}
}
这篇关于GAE 应用程序需要创建 Google Cloud Storage 的过期签名 URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
