In addition to including the Authorization header in the request, you can also add signature information to a URL so that you can forward the URL to a third party for authorized access.
- If you generate a signed URL, the data that is authorized will be exposed to the Internet as long as the authorization is valid. We recommend that you assess the risks in advance.
- A signature cannot be included in a URL and a header at the same time.
- You can add a signature to a URL in PUT and GET requests.
- You can generate a pre-signed URL for a PUT operation to check whether the operation uploads the correct content. When the SDK generates the pre-signed URL for the request, it computes the MD5 hash of the request body and includes the MD5 hash in the pre-signed URL. The MD5 hash of the content uploaded by the PUT operation must be the as the MD5 hash computed by the SDK. Otherwise, the operation fails. To enforce Content-MD5, simply add the header to the request.
The following code provides an example on how to generate a signed URL in Python:
import base64 import hmac import hashlib import urllib h = hmac.new("OtxrzxIsfpFjA7SwPzILwy8Bw21TLhquhboDYROV", "GET\n\n\n1141889120\n/oss-example/oss-api.pdf", hashlib.sha1) urllib.quote (base64.encodestring(h.digest()).strip())
OSS SDKs provide methods on how to generate a signed URL. For more information, see SDK reference.
For more information about how to generate a signed URL for OSS SDKs, see the following table.
|SDK||URL signature method||Implementation file|
The following code provides an example on how to generate a signed URL:
A signed URL must include the following three parameters: Signature, Expires, and OSSAccessKeyId. When you generate the signature string, replace Date with Expires, but include the headers such as Content-Type and Content-MD5 defined in Add signatures to headers. (Although Date still exists in the request header, you do not need to add it to the signature string.)
- Expires specifies the validity period of the URL. The value of this parameter is in UNIX time format. The value is the number of seconds that elapsed since January 1, 1970 UTC.
If the time OSS receives the URL request is later than the value of Expires that is
included in the signature, a request timeout error is returned. For example, the current
time is 1141889060. To create a URL that is scheduled to expire in 60 seconds, you
can set the value of Expires to 1141889120.
Note For security reasons, the default validity period of a URL is 3,600 seconds. The maximum validity period of a URL is 32,400 seconds.
- OSSAccessKeyId specifies the AccessKey ID of a key.
- Signature specifies the signature information. For all requests and headers that OSS supports,
the signature algorithm for a URL is basically the same as that for a header in Add signatures to headers.
Signature = urlencode(base64(hmac-sha1(AccessKeySecret, VERB + "\n" + CONTENT-MD5 + "\n" + CONTENT-TYPE + "\n" + EXPIRES + "\n" + CanonicalizedOSSHeaders + CanonicalizedResource)))
For more information about values of the
CONTENT-TYPEheaders, see Add signatures to headers.Note The difference is listed as follows:
- When a signed URL is created, the Expires parameter replaces the Date parameter.
- If more than one Signature, Expires, or OSSAccessKeyId value is imported, the first input value is used.
- Before verifying the signature of a request, OSS checks the request time to determine whether it is later than the time specified in Expires.
- When you add a signature string to a URL, you must encode the URL.
- When you add a signature to a temporary user URL, you must include
security-token. The format is as follows:
|Error code||Error message||Description|
|AccessDenied||403 Forbidden||The error message returned because one or more of the Signature, Expires, and OSSAccessKeyId parameters are missing. When a signature is added to a URL, the sequence of the Signature, Expires, and OSSAccessKeyId parameters can be swapped.|
|AccessDenied||403 Forbidden||The error message returned because the current access time is later than the Expires value set in the request, or the time is in a wrong format.|
|InvalidArgument||400 Bad Request||The error message returned because a URL includes one or more of the Signature, Expires, and OSSAccessKeyId parameters and the header also includes the signature information.|