The ROA-style API signature consists of two parts: public request headers (HTTP header parameters and Alibaba Cloud protocol header parameters) and CanonicalizedResource. The message body is not included in the signature.
|Authorization||Authentication information used to verify the request validity, in the format of acs AccessKeyId:signature.|
|Content-Length||HTTP request content length defined in RFC 2616.|
|Content-Type||HTTP request content type defined in RFC 2616.|
|Content-MD5||Base64-encoded 128-bit MD5 hash value of the HTTP message body. We recommend that Content-MD5 be added to all requests to prevent tampering.|
|Date||Request time in GMT format, for example, Wed, 26 Aug. 2015 17:01:00 GMT.|
|Accept||Return value type required by the user, which can be application/json or application/xml.|
|Host||Address of the accessed host, for example, ros.aliyuncs.com.|
|x-acs-signature-nonce||Unique random number, which is used to prevent network replay attacks. You must use different random numbers for different requests.|
|x-acs-signature-method||Signature method, which uses HMAC-SHA1 only at present.|
|x-acs-signature-version||Signature version, which is 1.0 currently.|
ROA-style API requests are signed using the standard Authorization header. The request format is as follows:
Authorization: acs AccessKeyId:Signature
Signature calculation must include the values of the following parameters: Accept, Content-MD5, Content-Type, and Date (without keys). (Content-Length is not included in the signature.) Parameters must be sorted in order. If a parameter has no value, it is filled with “\n”.
CanonicalizedHeaders are non-standard HTTP headers of Alibaba Cloud. They are parameters prefixed with “x-acs-“ in a request.
CanonicalizedHeaders are constructed as follows:
Convert the names of all HTTP request headers prefixed with “x-acs-“ into lowercase letters. For example, ‘X-acs-OSS-Meta-Name: TaoBao’ is converted into ‘x-acs-oss-meta-name: TaoBao’. The names of request headers are case-insensitive according to Alibaba Cloud’s specification. However, we recommend that such names use only lowercase letters.
If the value section of a public request header is too long, replace the separators “\t”, “\n”, “\r”, and “\f” with spaces.
Sort all HTTP request headers that are obtained from the preceding step and compliant with Alibaba Cloud’s specification in the lexicographically ascending order.
Delete any space at either side of a separator between each request header and content. For example, convert “x-acs-oss-meta-name: TaoBao,Alipay into “x-acs-oss-meta-name:TaoBao,Alipay”.
Separate all headers and content with the separator “\n” to form the final CanonicalizedHeaders.
CanonicalizedResource is the standard description of the resource to be accessed. Sort sub-resources along with query in the lexicographically ascending order and separate them using the mark (&) as the separator to generate a sub-resource string (which consists of all parameters after the question mark (?)).For example:
The sorting result is:
Authorization = acs AccessKeyId + ":" + Signature
Signature = Base64( HMAC-SHA1( AccessSecret, UTF-8-Encoding-Of(
StringToSign) ) )
HTTP-Verb + "\n" +
Accept + "\n" +
Content-MD5 + "\n" +
Content-Type + "\n" +
Date + "\n" +