All Products
Search
Document Center

Object Storage Service:Authorize access

Last Updated:Jan 12, 2024

This topic describes how to authorize temporary access to Object Storage Service (OSS) by using Security Token Service (STS) and a signed URL, respectively.

Usage notes

  • A validity period must be specified for temporary access credentials and a signed URL. When you use temporary access credentials to generate a signed URL that is used to perform operations, such as object upload and download, the minimum validity period takes precedence. For example, you can set the validity period of the temporary access credentials that are provided by STS to 1,200 seconds and the validity period of the signed URL generated by using the credentials to 3,600 seconds. In this case, you cannot use the signed URL to upload objects after the temporary access credentials expire, even if the signed URL is within the validity period.

  • In this topic, access credentials are obtained from environment variables. For more information about how to configure access credentials, see Configure access credentials.

  • In this topic, the public endpoint of the China (Hangzhou) region is used. If you want to access OSS by using other Alibaba Cloud services in the same region as OSS, use an internal endpoint, such as https://oss-cn-hangzhou-internal.aliyuncs.com. For more information about OSS regions and endpoints, see Regions and endpoints.

  • In this topic, a public OSS endpoint is used to create an OSSClient instance. If you want to create an OSSClient instance by using custom domain names or temporary access credentials obtained from STS, see Create an OSSClient instance.

Use STS for temporary access authorization

You can use STS to authorize temporary access to OSS. STS is a web service that provides temporary access tokens. You can use STS to grant temporary access credentials that have a custom validity period and custom permissions to a third-party application or a RAM user that is managed by you. For more information about STS, see What is STS?

STS has the following benefits:

  • You need to only generate a temporary access token and send the access token to a third-party application. You do not need to provide your AccessKey pair to the third-party application. You can specify the access permissions and the validity period of the token.

  • The token automatically expires after the validity period. Therefore, you do not need to manually revoke the access permissions of a token.

To access OSS by using temporary access credentials provided by STS, perform the following operations:

  1. Obtain temporary access credentials.

    Temporary access credentials contain a security token and a temporary AccessKey pair that consists of an AccessKey ID and an AccessKey secret. The minimum validity period of temporary access credentials is 900 seconds. The maximum validity period of temporary access credentials is the maximum session duration specified for the current role. For more information, see Specify the maximum session duration for a RAM role.

    You can use one of the following methods to obtain temporary access credentials:

    • Method 1:

      Call the AssumeRole operation to obtain temporary access credentials.

    • Method 2:

      Use STS SDKs to obtain temporary access credentials. For more information, see Overview.

  2. Upload an object by using the temporary access credentials obtained from STS.

    import com.aliyun.oss.*;
    import com.aliyun.oss.common.auth.*;
    import com.aliyun.oss.model.GetObjectRequest;
    import com.aliyun.oss.model.PutObjectRequest;
    import java.io.File;
    
    public class Demo {
        public static void main(String[] args) throws Throwable {
            // In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
            String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
            // Obtain access credentials from environment variables. Before you run code, make sure that you specified the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables. 
            EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
            // Specify the name of the bucket. Example: examplebucket. 
            String bucketName = "examplebucket";
            // Specify the full path of the object. Example: exampleobject.txt. Do not include the bucket name in the full path. 
            String objectName = "exampleobject.txt";
            // Specify the full path of the local file. 
            String pathName = "D:\\localpath\\examplefile.txt";
    
            // After you obtain temporary access credentials from STS, you can use the access credentials to create an OSSClient instance. 
            // Create an OSSClient instance. 
            OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);
    
            try {            
                // Upload an object. In this example, a local file is uploaded to OSS.             
                PutObjectRequest putObjectRequest = new PutObjectRequest(bucketName, objectName, new File(pathName));
                ossClient.putObject(putObjectRequest);
    
                // Download an object to your local computer as a local file. If an existing file has the same name as the downloaded object, the existing file is overwritten by the downloaded object. Otherwise, the downloaded object is saved.             
                //ossClient.getObject(new GetObjectRequest(bucketName, objectName), new File(pathName));
            } catch (OSSException oe) {
                System.out.println("Caught an OSSException, which means your request made it to OSS, "
                        + "but was rejected with an error response for some reason.");
                System.out.println("Error Message:" + oe.getErrorMessage());
                System.out.println("Error Code:" + oe.getErrorCode());
                System.out.println("Request ID:" + oe.getRequestId());
                System.out.println("Host ID:" + oe.getHostId());
            } catch (ClientException ce) {
                System.out.println("Caught an ClientException, which means the client encountered "
                        + "a serious internal problem while trying to communicate with OSS, "
                        + "such as not being able to access the network.");
                System.out.println("Error Message:" + ce.getMessage());
            } finally {
                if (ossClient != null) {
                    ossClient.shutdown();
                }
            }
        }
    }

Use a signed URL for temporary access authorization

This section provides examples on how to generate a signed URL to authorize temporary access to OSS.

Note

To generate a signed URL for access over HTTPS, set the protocol in the endpoint to HTTPS.

You can generate a signed URL and provide a visitor with the URL for temporary access. When you generate a signed URL, you can specify the validity period of the URL to limit the period of time during which the visitor can access the specified data.

Important

The signed URL generated by using the following sample code may contain a plus sign (+). In this case, you must replace the plus sign (+) in the URL with %2B. Otherwise, the signed URL may be inaccessible.

Generate a signed URL that allows HTTP GET requests

The following sample code provides an example on how to generate a signed URL that allows HTTP GET requests:

import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import java.net.URL;
import java.util.Date;
import java.util.Date;

public class Demo {
    public static void main(String[] args) throws Throwable {
        // In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
        String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
        // Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
        EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
        // Specify the name of the bucket. Example: examplebucket. 
        String bucketName = "examplebucket";
        // Specify the full path of the object. Example: exampleobject.txt. Do not include the bucket name in the full path. 
        String objectName = "exampleobject.txt";
        
        // Create an OSSClient instance. 
        OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);

        try {
            // Specify the validity period of the signed URL. Unit: milliseconds. In this example, the validity period is set to 1 hour. 
            Date expiration = new Date(new Date().getTime() + 3600 * 1000L);
            // Generate the signed URL that allows HTTP GET requests. Visitors can enter the URL in a browser to access the specified content. 
            URL url = ossClient.generatePresignedUrl(bucketName, objectName, expiration);
            System.out.println(url);
        } catch (OSSException oe) {
            System.out.println("Caught an OSSException, which means your request made it to OSS, "
                    + "but was rejected with an error response for some reason.");
            System.out.println("Error Message:" + oe.getErrorMessage());
            System.out.println("Error Code:" + oe.getErrorCode());
            System.out.println("Request ID:" + oe.getRequestId());
            System.out.println("Host ID:" + oe.getHostId());
        } catch (ClientException ce) {
            System.out.println("Caught an ClientException, which means the client encountered "
                    + "a serious internal problem while trying to communicate with OSS, "
                    + "such as not being able to access the network.");
            System.out.println("Error Message:" + ce.getMessage());
        } finally {
            if (ossClient != null) {
                ossClient.shutdown();
            }
        }
    }
}

Generate a signed URL that allows other HTTP request methods

To authorize users to temporarily perform operations such as object upload and deletion, you must generate a signed URL that allows requests by using specific HTTP methods. For example, you can generate a signed URL that allows HTTP PUT requests to authorize users to upload objects.

The following sample code provides an example on how to generate a signed URL that allows HTTP PUT requests:

import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.common.utils.HttpHeaders;
import com.aliyun.oss.model.GeneratePresignedUrlRequest;
import java.io.ByteArrayInputStream;
import java.net.URL;
import java.util.*;
import java.util.Date;

import static com.aliyun.oss.internal.OSSHeaders.OSS_USER_METADATA_PREFIX;

public class Demo {
    public static void main(String[] args) throws Throwable {
        // In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
        String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
        // Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
        EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
        // Specify the name of the bucket. Example: examplebucket. 
        String bucketName = "examplebucket";
        // Specify the full path of the object. Example: exampleobject.txt. Do not include the bucket name in the full path. 
        String objectName = "exampleobject.txt";
        
        // Create an OSSClient instance. 
        OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);

        try {
            GeneratePresignedUrlRequest request = new GeneratePresignedUrlRequest(bucketName, objectName, HttpMethod.PUT);
            // Specify the validity period of the signed URL. Unit: milliseconds. In this example, the validity period is set to 1 hour. 
            Date expiration = new Date(new Date().getTime() + 3600 * 1000L);
            request.setExpiration(expiration);
            // Specify ContentType. 
            request.setContentType("text/plain");
            // Specify user metadata. 
            request.addUserMetadata("author", "aliy");

            // Generate the signed URL. 
            URL signedUrl = ossClient.generatePresignedUrl(request);
            System.out.println(signedUrl);

            Map<String, String> requestHeaders = new HashMap<String, String>();
            // Specify ContentType. Make sure that the value of ContentType is the same as the content type that is specified when you generate the signed URL. 
            requestHeaders.put(HttpHeaders.CONTENT_TYPE, "text/plain");
            // Specify user metadata. 
            requestHeaders.put(OSS_USER_METADATA_PREFIX + "author", "aliy");

            // Use the signed URL to upload the object. 
            ossClient.putObject(signedUrl, new ByteArrayInputStream("Hello OSS".getBytes()), -1, requestHeaders, true);
        } catch (OSSException oe) {
            System.out.println("Caught an OSSException, which means your request made it to OSS, "
                    + "but was rejected with an error response for some reason.");
            System.out.println("Error Message:" + oe.getErrorMessage());
            System.out.println("Error Code:" + oe.getErrorCode());
            System.out.println("Request ID:" + oe.getRequestId());
            System.out.println("Host ID:" + oe.getHostId());
        } catch (ClientException ce) {
            System.out.println("Caught an ClientException, which means the client encountered "
                    + "a serious internal problem while trying to communicate with OSS, "
                    + "such as not being able to access the network.");
            System.out.println("Error Message:" + ce.getMessage());
        } finally {
            if (ossClient != null) {
                ossClient.shutdown();
            }
        }
    }
}      

If you include the HttpMethod.PUT parameter when you create a signed URL, authorized visitors can use the signed URL to upload objects.

Generate a signed URL that includes specific parameters or headers

  • Generate a signed URL that includes specific parameters or headers

    The following sample code provides an example on how to generate a signed URL that includes specific parameters:

    import com.aliyun.oss.*;
    import com.aliyun.oss.common.auth.*;
    import com.aliyun.oss.model.GeneratePresignedUrlRequest;
    import java.net.URL;
    import java.util.*;
    import java.util.Date;
    
    public class Demo {
        public static void main(String[] args) throws Throwable {
            // In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
            String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
            // Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
            EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
            // Specify the name of the bucket. Example: examplebucket. 
            String bucketName = "examplebucket";
            // Specify the full path of the object. Example: exampleobject.txt. Do not include the bucket name in the full path. 
            String objectName = "exampleobject.txt";
    
            // Create an OSSClient instance. 
            OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);
    
            try {
                // Create a request. 
                GeneratePresignedUrlRequest generatePresignedUrlRequest = new GeneratePresignedUrlRequest(bucketName, objectName);
                // Set HttpMethod to PUT. 
                generatePresignedUrlRequest.setMethod(HttpMethod.PUT);
                // Specify user metadata. 
                generatePresignedUrlRequest.addUserMetadata("author", "baymax");
                // Specify ContentType. 
                generatePresignedUrlRequest.setContentType("application/txt");
                // Specify the validity period of the signed URL. Unit: milliseconds. In this example, the validity period is set to 1 hour. 
                Date expiration = new Date(new Date().getTime() + 3600 * 1000L);
                generatePresignedUrlRequest.setExpiration(expiration);
                // Generate the signed URL. 
                URL url = ossClient.generatePresignedUrl(generatePresignedUrlRequest);
                System.out.println(url);
            } catch (OSSException oe) {
                System.out.println("Caught an OSSException, which means your request made it to OSS, "
                        + "but was rejected with an error response for some reason.");
                System.out.println("Error Message:" + oe.getErrorMessage());
                System.out.println("Error Code:" + oe.getErrorCode());
                System.out.println("Request ID:" + oe.getRequestId());
                System.out.println("Host ID:" + oe.getHostId());
            } catch (ClientException ce) {
                System.out.println("Caught an ClientException, which means the client encountered "
                        + "a serious internal problem while trying to communicate with OSS, "
                        + "such as not being able to access the network.");
                System.out.println("Error Message:" + ce.getMessage());
            } finally {
                if (ossClient != null) {
                    ossClient.shutdown();
                }
            }
        }
    }
  • Generate a signed URL that includes the versionId header

    The following sample code provides an example on how to generate a signed URL that includes the versionId header:

    import com.aliyun.oss.*;
    import com.aliyun.oss.common.auth.*;
    import com.aliyun.oss.model.GeneratePresignedUrlRequest;
    import java.net.URL;
    import java.util.*;
    import java.util.Date;
    
    public class Demo {
        public static void main(String[] args) throws Throwable {
            // In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
            String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
            // Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
            EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
    		    // Specify the name of the bucket. Example: examplebucket. 
            String bucketName = "examplebucket";
            // Specify the full path of the object. Example: exampleobject.txt. Do not include the bucket name in the full path. 
            String objectName = "exampleobject.txt";
            // Specify the version ID of the object. 
            String versionId = "CAEQARiBgID8rumR2hYiIGUyOTAyZGY2MzU5MjQ5ZjlhYzQzZjNlYTAyZDE3****";
    
            // Create an OSSClient instance. 
            OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);
    
            try {
                // Create a request. 
                GeneratePresignedUrlRequest generatePresignedUrlRequest = new GeneratePresignedUrlRequest(bucketName, objectName);
                // Set HttpMethod to GET. 
                generatePresignedUrlRequest.setMethod(HttpMethod.GET);
                // Specify the validity period of the signed URL. Unit: milliseconds. In this example, the validity period is set to 1 hour. 
                Date expiration = new Date(new Date().getTime() + 3600 * 1000L);
                generatePresignedUrlRequest.setExpiration(expiration);
                // Specify the version ID of the object. 
                Map<String, String> queryParam = new HashMap<String, String>();
                queryParam.put("versionId", versionId);
                generatePresignedUrlRequest.setQueryParameter(queryParam);
                // Generate the signed URL. 
                URL url = ossClient.generatePresignedUrl(generatePresignedUrlRequest);
                System.out.println(url);
            } catch (OSSException oe) {
                System.out.println("Caught an OSSException, which means your request made it to OSS, "
                        + "but was rejected with an error response for some reason.");
                System.out.println("Error Message:" + oe.getErrorMessage());
                System.out.println("Error Code:" + oe.getErrorCode());
                System.out.println("Request ID:" + oe.getRequestId());
                System.out.println("Host ID:" + oe.getHostId());
            } catch (ClientException ce) {
                System.out.println("Caught an ClientException, which means the client encountered "
                        + "a serious internal problem while trying to communicate with OSS, "
                        + "such as not being able to access the network.");
                System.out.println("Error Message:" + ce.getMessage());
            } finally {
                if (ossClient != null) {
                    ossClient.shutdown();
                }
            }
        }
    }

Use a signed URL to upload or download an object

  • Use a signed URL to upload an object in simple upload

    The following sample code provides an example on how to generate a signed URL and use the signed URL to upload an object in simple upload:

    Note

    You can also create a signed URL and then use the URL to authorize simple upload of an object. For more information about how to generate a signed URL, see URL Signature.

    import com.aliyun.oss.*;
    import com.aliyun.oss.common.auth.*;
    import com.aliyun.oss.internal.OSSHeaders;
    import com.aliyun.oss.model.GeneratePresignedUrlRequest;
    import com.aliyun.oss.model.StorageClass;
    import org.apache.http.HttpEntity;
    import org.apache.http.client.methods.CloseableHttpResponse;
    import org.apache.http.client.methods.HttpPut;
    import org.apache.http.entity.FileEntity;
    import org.apache.http.impl.client.CloseableHttpClient;
    import org.apache.http.impl.client.HttpClients;
    import java.io.*;
    import java.net.URL;
    import java.util.*;
    import java.util.Date;
    
    public class Demo {
        public static void main(String[] args) throws Throwable {
            // In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
            String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
            // Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
            EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
            // Specify the name of the bucket. Example: examplebucket. 
            String bucketName = "examplebucket";
            // Specify the full path of the object. Example: exampleobject.txt. Do not include the bucket name in the full path. 
            String objectName = "exampleobject.txt";
            // Specify the full path of the local file that you want to upload. By default, if you do not specify the path of the local file, the file is uploaded from the path of the project to which the sample program belongs. 
            String pathName = "D:\\localpath\\examplefile.txt";
    
            // Create an OSSClient instance.
            OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);
            
            // Specify request headers. 
            Map<String, String> headers = new HashMap<String, String>();
            /*// Specify the storage class of the object. 
            headers.put(OSSHeaders.STORAGE_CLASS, StorageClass.Standard.toString());
            // Specify ContentType. 
            headers.put(OSSHeaders.CONTENT_TYPE, "text/txt");*/
    
            // Specify user metadata. 
            Map<String, String> userMetadata = new HashMap<String, String>();
            /*userMetadata.put("key1","value1");
            userMetadata.put("key2","value2");*/
    
            URL signedUrl = null;
            try {
                // Specify the validity period of the signed URL. Unit: milliseconds. In this example, the validity period is set to 1 hour. 
                Date expiration = new Date(new Date().getTime() + 3600 * 1000L);
    
                // Generate the signed URL. 
                GeneratePresignedUrlRequest request = new GeneratePresignedUrlRequest(bucketName, objectName, HttpMethod.PUT);
                // Specify the expiration time. 
                request.setExpiration(expiration);
    
                // Add the headers to the request. 
                request.setHeaders(headers);
                // Specify user metadata. 
                request.setUserMetadata(userMetadata);
    
                // Generate a signed URL that allows HTTP PUT requests. 
                signedUrl = ossClient.generatePresignedUrl(request);
                // Display the signed URL. 
                System.out.println("signed url for putObject: " + signedUrl);
    
            } catch (OSSException oe) {
                System.out.println("Caught an OSSException, which means your request made it to OSS, "
                        + "but was rejected with an error response for some reason.");
                System.out.println("Error Message:" + oe.getErrorMessage());
                System.out.println("Error Code:" + oe.getErrorCode());
                System.out.println("Request ID:" + oe.getRequestId());
                System.out.println("Host ID:" + oe.getHostId());
            } catch (ClientException ce) {
                System.out.println("Caught an ClientException, which means the client encountered "
                        + "a serious internal problem while trying to communicate with OSS, "
                        + "such as not being able to access the network.");
                System.out.println("Error Message:" + ce.getMessage());
            }
    
            // Use the signed URL to authorize users to upload the object. In this example, HttpClients is used. 
            putObjectWithHttp(signedUrl, pathName, headers, userMetadata);
        }
    
        public static void putObjectWithHttp(URL signedUrl, String pathName, Map<String, String> headers, Map<String, String> userMetadata) throws IOException {
            CloseableHttpClient httpClient = null;
            CloseableHttpResponse response = null;
            try {
                HttpPut put = new HttpPut(signedUrl.toString());
                HttpEntity entity = new FileEntity(new File(pathName));
                put.setEntity(entity);
                // If you configure headers such as the user metadata and storage class when a signed URL is generated, these parameters must be sent to the server when the signed URL is used to upload the object. If headers for the signature are inconsistent with those sent to the server, a signature error is reported. 
                for(Map.Entry header: headers.entrySet()){
                    put.addHeader(header.getKey().toString(),header.getValue().toString());
                }
                for(Map.Entry meta: userMetadata.entrySet()){
                    // If userMeta is used, the x-oss-meta- prefix is added to userMeta. If you use other methods to generate a signed URL for object upload, the x-oss-meta- prefix is also added to userMata. 
                    put.addHeader("x-oss-meta-"+meta.getKey().toString(), meta.getValue().toString());
                }
    
                httpClient = HttpClients.createDefault();
    
                response = httpClient.execute(put);
    
                System.out.println("Upload status code:"+response.getStatusLine().getStatusCode());
                if(response.getStatusLine().getStatusCode() == 200){
                    System.out.println("The object is uploaded by using the network library.");
                }
                System.out.println(response.toString());
            } catch (Exception e){
                e.printStackTrace();
            } finally {
                response.close();
                httpClient.close();
            }
        }
    }       
  • Use signed URLs to upload an object in multipart upload

    If you want to use signed URLs to authorize third-party applications to upload a large object in multipart upload, you must initiate a multipart upload task, generate a signed URL for each part, and provide the signed URLs to the third-party applications. Then, the third-party applications can use the signed URLs to upload all parts of the object and combine the parts.

    The following sample code provides an example on how to generate signed URLs and use the signed URLs to upload an object in multipart upload:

    import com.aliyun.oss.*;
    import com.aliyun.oss.common.auth.*;
    import com.aliyun.oss.model.*;
    import org.apache.http.client.methods.CloseableHttpResponse;
    import org.apache.http.client.methods.HttpPut;
    import org.apache.http.entity.InputStreamEntity;
    import org.apache.http.impl.client.CloseableHttpClient;
    import org.apache.http.impl.client.HttpClients;
    import java.io.*;
    import java.net.URL;
    import java.util.*;
    import java.util.Date;
    
    public class SignUrlMultipart {
        public static void main(String[] args) throws Throwable {
            // In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
            String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
            // Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
            EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();  
            // Specify the name of the bucket. Example: examplebucket. 
            String bucketName = "examplebucket";
            // Specify the full path of the object. Example: exampleobject.txt. Do not include the bucket name in the full path. 
            String objectName = "exampleobject.txt";
            // Specify the full path of the local file that you want to upload. By default, if you do not specify the full path of a local file, the local file is uploaded from the path of the project to which the sample program belongs. 
            String pathName = "D:\\localpath\\examplefile.txt";
            // Specify the validity period of the signed URLs. Unit: milliseconds. In this example, the validity period is set to 1 hour. 
            long expireTime = 3600*1000L;
    
            // Create an OSSClient instance. 
            OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);
            
            // Create an InitiateMultipartUploadRequest object. 
            InitiateMultipartUploadRequest initRequest = new InitiateMultipartUploadRequest(bucketName, objectName);
    
            // Initiate the multipart upload task. 
            InitiateMultipartUploadResult upResult = ossClient.initiateMultipartUpload(initRequest);
            // Obtain the upload ID. The upload ID uniquely identifies the multipart upload task. You can use the upload ID to perform related operations, such as canceling and querying the multipart upload task. 
            String uploadId = upResult.getUploadId();
    
            // partETags is a set of PartETags. A PartETag consists of the part number and ETag of an uploaded part. 
            List<PartETag> partETags =  new ArrayList<PartETag>();
            // Specify the part size, which is used to calculate the number of parts of the object. Unit: bytes. 
            long partSize = 1 * 100 * 1024L;   // In this example, the part size is set to 100 KB. 
    
            // Specify the full path of the local file that you want to upload. By default, if you do not specify the path of the local file, the file is uploaded from the path of the project to which the sample program belongs. 
            File sampleFile = new File(pathName);
            long fileLength = sampleFile.length();
            // If you want to split the local file into only one part, set the part size to the size of the local file. 
            // long fileLength = sampleFile.length();
            int partCount = (int) (fileLength / partSize);
            if (fileLength % partSize != 0) {
                partCount++;
            }
    
            // Specify request headers for the signed URLs. 
            Map<String, String> headers = new HashMap<String, String>();
            /*// Specify the storage class of the object. 
            headers.put(OSSHeaders.STORAGE_CLASS, StorageClass.Standard.toString());
            // Specify ContentType. 
            headers.put(OSSHeaders.CONTENT_TYPE, "text/txt");*/
    
    
            // Traverse all parts to obtain all signed URLs and upload the parts. 
            // You can also obtain the signed URLs of all parts at a time and then upload the parts. The following sample code provides an example on how to obtain a single signed URL and use the signed URL to upload a part: 
            for (int i = 0; i < partCount; i++) {
                long startPos = i * partSize;
                long curPartSize = (i + 1 == partCount) ? (fileLength - startPos) : partSize;
    
                String signUrl = getSignUrl(ossClient, bucketName, objectName, HttpMethod.PUT, expireTime, i + 1, uploadId, headers);
    
                // Use the signed URL to upload the part. In this example, HttpClients is used. 
                putObjectWithHttp(signUrl, pathName, startPos, curPartSize, headers);
            }
    
             // If the system for part upload is different from the system for part combination, you must list parts before you can combine the parts. 
            // List uploaded parts. 
            ListPartsRequest listPartsRequest = new ListPartsRequest(bucketName, objectName, uploadId);
            PartListing partListing = ossClient.listParts(listPartsRequest);
    
            // Traverse the parts and populate partETags. 
            for (PartSummary part : partListing.getParts()) {
                PartETag partETag = new PartETag(part.getPartNumber(), part.getETag());
                partETags.add(partETag);
            }
    
            // Combine the parts. 
            CompleteMultipartUploadRequest completeMultipartUploadRequest =
                    new CompleteMultipartUploadRequest(bucketName, objectName, uploadId, partETags);
            // String md5 = BinaryUtil.toBase64String(BinaryUtil.calculateMd5("aaa".getBytes()));
            // Specify that an existing object that has the same name is not overwritten. 
            // completeMultipartUploadRequest.addHeader("x-oss-forbid-overwrite", "true");
            // Specify MD5 checksum verification for part combination. 
            // completeMultipartUploadRequest.addHeader("Content-MD5", md5);
    
    
            // Complete the multipart upload task. 
            CompleteMultipartUploadResult completeMultipartUploadResult = ossClient.completeMultipartUpload(completeMultipartUploadRequest);
            System.out.println("Parts are combined. The upload task is complete.");
    
            // If you want to return the part upload result in the response, set Process to true. 
            // completeMultipartUploadRequest.setProcess("true");
            // System.out.println("Parts are combined. The upload task is complete. Multipart upload status code: "+completeMultipartUploadResult.getResponse().getStatusCode());
        }
    
        public static void putObjectWithHttp(String signedUrl, String pathName, long startPos, long partSize, Map<String, String> headers) throws IOException {
            CloseableHttpClient httpClient = null;
            CloseableHttpResponse response = null;
            try {
                HttpPut put = new HttpPut(signedUrl);
    
                FileInputStream inStream = new FileInputStream(pathName);
                // Skip parts that have been uploaded. 
                inStream.skip(startPos);
                InputStreamEntity entity = new InputStreamEntity(inStream, partSize);
                put.setEntity(entity);
    
                // If you configure headers such as the user metadata and storage class when a signed URL is generated, these parameters must be sent to the server when the signed URL is used to upload the object. If headers for the signature are inconsistent with those sent to the server, a signature error is reported. 
                for(Map.Entry header: headers.entrySet()){
                    put.addHeader(header.getKey().toString(),header.getValue().toString());
                }
    
                httpClient = HttpClients.createDefault();
    
                response = httpClient.execute(put);
    
                System.out.println("Upload status code:"+response.getStatusLine().getStatusCode());
                if(response.getStatusLine().getStatusCode() == 200){
                    System.out.println("The object is uploaded by using the network library.");
                }
                System.out.println(response.toString());
            } catch (Exception e){
                e.printStackTrace();
            } finally {
                response.close();
                httpClient.close();
            }
        }
    
        public static String getSignUrl(OSS ossClient, String bucketName, String objectName, HttpMethod method, long expireTime, int partNum, String uploadId, Map<String, String> headers){
            // Specify the validity period of the signed URL. Unit: milliseconds. 
            Date expiration = new Date(new Date().getTime() + expireTime);
    
            // Generate the signed URL. 
            GeneratePresignedUrlRequest request = new GeneratePresignedUrlRequest(bucketName, objectName, method);
            // Specify the expiration time. 
            request.setExpiration(expiration);
    
            // Add the headers to the request. 
            request.setHeaders(headers);
    
            request.addQueryParameter("partNumber", String.valueOf(partNum));
    
            request.addQueryParameter("uploadId", uploadId);
    
    
            // Generate the signed URL that allows HTTP requests. 
            URL signedUrl = ossClient.generatePresignedUrl(request);
            // Display the signed URL. 
            System.out.println("signed url: " + signedUrl);
            return signedUrl.toString();
        }
    
    }
  • Use a signed URL to download an object

    The following sample code provides an example on how to use a signed URL to download an object:

    import com.aliyun.oss.*;
    import com.aliyun.oss.common.auth.*;
    import com.aliyun.oss.internal.OSSHeaders;
    import com.aliyun.oss.model.GeneratePresignedUrlRequest;
    import com.aliyun.oss.model.StorageClass;
    import org.apache.http.client.methods.CloseableHttpResponse;
    import org.apache.http.client.methods.HttpGet;
    import org.apache.http.impl.client.CloseableHttpClient;
    import org.apache.http.impl.client.HttpClients;
    import java.io.*;
    import java.net.URL;
    import java.util.*;
    import java.util.Date;
    
    public class Demo {
        public static void main(String[] args) throws Throwable {
            // In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
            String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
            // Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
            EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
            // Specify the name of the bucket. Example: examplebucket. 
            String bucketName = "examplebucket";
            // Specify the full path of the object. Example: exampleobject.txt. Do not include the bucket name in the full path. 
            String objectName = "exampleobject.txt";
            // Specify the local path to which you want to download the object. 
            String pathName = "D:\\localpath\\examplefile.txt";
    
            // Create an OSSClient instance. 
            OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);
          
            // Specify request headers. 
            Map<String, String> headers = new HashMap<String, String>();
            /*// Specify the storage class of the object. 
            headers.put(OSSHeaders.STORAGE_CLASS, StorageClass.Standard.toString());
            // Specify ContentType. 
            headers.put(OSSHeaders.CONTENT_TYPE, "text/txt");*/
    
            // Specify user metadata. 
            Map<String, String> userMetadata = new HashMap<String, String>();
            /*userMetadata.put("key1","value1");
            userMetadata.put("key2","value2");*/
    
            URL signedUrl = null;
            try {
                // Specify the validity period of the signed URL. Unit: milliseconds. In this example, the validity period is set to 1 hour. 
                Date expiration = new Date(new Date().getTime() + 3600 * 1000L);
    
                // Generate the signed URLs. 
                GeneratePresignedUrlRequest request = new GeneratePresignedUrlRequest(bucketName, objectName, HttpMethod.GET);
                // Specify the expiration time. 
                request.setExpiration(expiration);
    
                // Add the headers to the request. 
                request.setHeaders(headers);
                // Specify user metadata. 
                request.setUserMetadata(userMetadata);
    
                // Specify query parameters. 
                // Map<String, String> queryParam = new HashMap<String, String>();
                // Specify the IP address or CIDR block, which is the value of the sourceIpFromSource field in the log. 
                // queryParam.put("x-oss-ac-source-ip","192.0.2.0");
                // Convert the subnet mask to binary and then enter the number of 1s in the result. 
                // queryParam.put("x-oss-ac-subnet-mask","32");
                // Specify the ID of the virtual private cloud (VPC). 
                // queryParam.put("x-oss-ac-vpc-id","vpc-12345678");
                // Specify whether the request can be forwarded. 
                // queryParam.put("x-oss-ac-forward-allow","true");
                // request.setQueryParameter(queryParam);
    
                // Configure single-connection bandwidth throttling, such as 100 KB/s. Unit: bit/s. 
                // request.setTrafficLimit(100 * 1024 * 8);
    
                // Generate a signed URL that allows HTTP GET requests. 
                signedUrl = ossClient.generatePresignedUrl(request);
                // Display the signed URL. 
                System.out.println("signed url for putObject: " + signedUrl);
            } catch (OSSException oe) {
                System.out.println("Caught an OSSException, which means your request made it to OSS, "
                        + "but was rejected with an error response for some reason.");
                System.out.println("Error Message:" + oe.getErrorMessage());
                System.out.println("Error Code:" + oe.getErrorCode());
                System.out.println("Request ID:" + oe.getRequestId());
                System.out.println("Host ID:" + oe.getHostId());
            } catch (ClientException ce) {
                System.out.println("Caught an ClientException, which means the client encountered "
                        + "a serious internal problem while trying to communicate with OSS, "
                        + "such as not being able to access the network.");
                System.out.println("Error Message:" + ce.getMessage());
            }
    
            // Use the signed URL to download an object. In this example, HttpClients is used. 
            getObjectWithHttp(signedUrl, pathName, headers, userMetadata);
        }
    
        public static void getObjectWithHttp(URL signedUrl, String pathName, Map<String, String> headers, Map<String, String> userMetadata) throws IOException {
            CloseableHttpClient httpClient = null;
            CloseableHttpResponse response = null;
            try {
                HttpGet get = new HttpGet(signedUrl.toString());
    
                // If you configure headers such as user metadata and storage class when a signed URL is generated, you must send these parameters to the server when you call the signed URL to download the object. If headers for the signature are inconsistent with those sent to the server, a signature error is reported. 
                for(Map.Entry header: headers.entrySet()){
                    get.addHeader(header.getKey().toString(),header.getValue().toString());
                }
                for(Map.Entry meta: userMetadata.entrySet()){
                    // If userMeta is used, the x-oss-meta- prefix is added to userMeta. When you use other methods to generate a signed URL for object download, the x-oss-meta- prefix is also added to userMata. 
                    get.addHeader("x-oss-meta-"+meta.getKey().toString(), meta.getValue().toString());
                }
    
                httpClient = HttpClients.createDefault();
                response = httpClient.execute(get);
    
                System.out.println("Download status code:"+response.getStatusLine().getStatusCode());
                if(response.getStatusLine().getStatusCode() == 200){
                    System.out.println("The object is downloaded by using the network library.");
                }
                System.out.println(response.toString());
    
                // Save the object to the disk. 
                saveFileToLocally(response.getEntity().getContent(), pathName);
            } catch (Exception e){
                e.printStackTrace();
            } finally {
                response.close();
                httpClient.close();
            }
        }
    
        public static void saveFileToLocally(InputStream inputStream, String pathName) throws IOException {
            DataInputStream in = null;
            OutputStream out = null;
            try {
                in = new DataInputStream(inputStream);
                out = new DataOutputStream(new FileOutputStream(pathName));
                int bytes = 0;
                byte[] bufferOut = new byte[1024];
                while ((bytes = in.read(bufferOut)) != -1) {
                    out.write(bufferOut, 0, bytes);
                }
            } catch (Exception e){
                e.printStackTrace();
            } finally {
                in.close();
                out.close();
            }
        }
    }

FAQ

When I use a signed URL to upload a file, is the file uploaded if the signed URL expires during the upload?

When you use simple upload, the file is still uploaded even if the signed URL expires during the upload.

When you use multipart upload, remaining parts may not be uploaded if the signed URLs of parts expire during the upload.