This topic describes how to obtain signature information from the server in various programming languages based on POST policies and directly upload data to Object Storage Service (OSS) by using form upload. In this method, the AccessKey pair used to generate the signature is not included in the code of the client. Therefore, this method is more secure than the method in which the signature is generated by a JavaScript client.

Process and code analysis

Sequence diagram
  1. A user sends a request to the application server to obtain the upload policy.

    In the upload.js file of the client source code package, set the value of the serverUrl variable in the following snippet to the URL of the application server.

    // serverUrl specifies the URL of the application server that returns signature information and upload policies. Replace the sample IP address and the port number with actual values. 
    serverUrl = 'http://88.88.88.88:8888'

    The client sends GET requests to the application server whose URL is specified by serverUrl to obtain signature information and upload policies. You can download the client source code from the following address: aliyun-oss-appserver-js-master.zip.

    Upload callback is not involved in the scenario described in this topic. Therefore, you must comment out the 'callback' : callbackbody field in the upload.js file of the client source code to disable the upload callback feature.

    {
      'key' : key + '${filename}',
      'policy': policyBase64,
      'OSSAccessKeyId': accessid,
       // Set the status code returned by the server to 200. By default, the 204 status code is returned. 
      'success_action_status' : '200', 
      'callback' : callbackbody,
      'signature': signature,
    }
  2. The application server returns the upload policy and signature to the user.

    A service is deployed on the application server to respond to the GET request sent by the client and return the signature information that is required for object upload. You can modify the code of the service so that the application server returns correct information to the client.

    The following code provides an example on the body content returned to the client by the application server:

    {
    "accessid":"LTAI5tBDFVar1hoq****",
    "host":"http://post-test.oss-cn-hangzhou.aliyuncs.com",
    "policy":"eyJleHBpcmF0aW9uIjoiMjAxNS0xMS0wNVQyMDoyMzoyM1oiLCJjxb25kaXRpb25zIjpbWyJjcb250ZW50LWxlbmd0aC1yYW5nZSIsMCwxMDQ4NTc2MDAwXSxbInN0YXJ0cy13aXRoIiwiJGtleSIsInVzZXItZGlyXC8i****",
    "signature":"VsxOcOudx******z93CLaXPz+4s=",
    "expire":1446727949,
    "dir":"user-dirs/"
    }
    The following table describes the fields that are contained in the body.
    Field Description
    accessid The required AccessKey ID.
    host The domain name from which the user sends the upload request.
    policy The policy for form upload. The policy is a Base64-encoded string. For more information, see PostObject.
    signature The signature string of the policy. For more information, see the Post Signature section in PostObject.
    expire The expiration time of the policy specified by the server, which is in the UNIX timestamp format (the number of seconds that have elapsed since January 01, 1970 00:00:00 UTC).
    dir The prefix of objects that are allowed to be uploaded.
  3. The user directly sends an object upload request to OSS.
    new_multipart_params = {
         // key specifies the full path of the object in the bucket. Example: exampledir/exampleobject.txtObject. The path cannot contain the bucket name. 
         // filename specifies the name of the local file to upload. 
         'key' : key + '${filename}',
         'policy': policyBase64,
         'OSSAccessKeyId': accessid,
         // Set the returned status code by the server to 200. By default, the returned status code is 204. 
         'success_action_status' : '200',    
         'signature': signature,
     };

Sample code

For more information about the code for various programming languages that are used to obtain signature information from the server, configure upload callback, and directly upload data to OSS, see the following topics:

References

In general, the application server needs to be informed of the information about uploaded objects, such as the users who upload the objects and the names of the uploaded objects. If a user uploads an image, the application server needs to be informed of the image size. You can configure upload callback to meet these requirements. For more information, see Overview.