我们建议您使用使用OpenAPI调试和集成服务端API文档中的在线调试和示例代码获取章节,基于阿里云OpenAPI门户获取集成实例代码。本文档中,我们额外提供了少量可以直接运行的示例代码供您参考。
示例代码概览
编程语言 | 集成方式 | 凭据初始化方式 | 示例代码 |
Java | SDK | 使用RAM子用户AK | |
使用OIDCRoleArn | |||
原生HTTPS(不推荐) | 使用RAM子用户AK | ||
使用OIDCRoleArn |
Java+SDK+AK
编程语言:Java
集成方式:SDK
凭据初始化方式:使用RAM子用户AK
依赖:
<dependency> <groupId>com.aliyun</groupId> <artifactId>cloudauth_intl20220809</artifactId> <version>***</version> // 请访问SDK中心获取最新版本:https://next.api.alibabacloud.com/api-tools/sdk/Cloudauth-intl?version=2022-08-09&language=java-tea&tab=primer-doc </dependency>示例代码
import com.aliyun.cloudauth_intl20220809.Client; import com.aliyun.cloudauth_intl20220809.models.InitializeRequest; import com.aliyun.cloudauth_intl20220809.models.InitializeResponse; import com.aliyun.cloudauth_intl20220809.models.InitializeResponseBody; import com.aliyun.teaopenapi.models.Config; public class Sample { private static Client client = null; static { try { // 构建Client client = createClient(); } catch (Exception e) { throw new RuntimeException(e); } } public static void main(String[] args) throws Exception { try { // 1.构造请求参数(本示例以Initialize接口为例,使用时请替换为您实际需要的接口) InitializeRequest request = new InitializeRequest(); request.setProductCode("***"); request.setMerchantBizId("***"); request.setMerchantUserId("***"); request.setMetaInfo("***"); request.setDocType("********"); request.setAuthorize("*"); // 2.接口调用(本示例以Initialize接口为例,使用时请替换为您实际需要的接口) InitializeResponse response = client.initialize(request); // 3.获取调用结果 Integer statusCode = response.getStatusCode();// 调用状态码 String code = response.getBody().getCode();// 调用code码 InitializeResponseBody.InitializeResponseBodyResult result = response.getBody().getResult(); // 调用返回 } catch (Exception e) { // 此处仅做打印展示,请谨慎对待异常处理,在工程项目中切勿直接忽略异常。 e.printStackTrace(); } } /** * 构建Client * @return * @throws Exception */ public static Client createClient() throws Exception { Config config = new Config(); // 设置账号ak,请不要将明文AK直接写在代码中,建议从环境变量中获取,否则将导致安全漏洞 config.setAccessKeyId("<your access key id>"); config.setAccessKeySecret("<your access key secret>"); // 设置endpoint和regionId(本示例以香港为例,使用时请替换为您实际需要的endpoint) config.setEndpoint("cloudauth-intl.cn-hongkong.aliyuncs.com"); config.setRegionId("cn-hongkong"); return new Client(config); } }
SDK+OIDCRoleArn
编程语言:Java
集成方式:SDK
凭据初始化方式:使用OIDCRoleArn
依赖:
<dependency> <groupId>com.aliyun</groupId> <artifactId>credentials-java</artifactId> <version>***</version> </dependency> // credentials-java的最新版本请查阅:https://central.sonatype.com/artifact/com.aliyun/credentials-java <dependency> <groupId>com.aliyun</groupId> <artifactId>cloudauth_intl20220809</artifactId> <version>***</version> // cloudauth_intl20220809 的最新版本请查阅:https://next.api.alibabacloud.com/api-tools/sdk/Cloudauth-intl?version=2022-08-09&language=java-tea&tab=primer-doc </dependency>示例代码
import com.aliyun.cloudauth_intl20220809.Client; import com.aliyun.cloudauth_intl20220809.models.InitializeRequest; import com.aliyun.cloudauth_intl20220809.models.InitializeResponse; import com.aliyun.cloudauth_intl20220809.models.InitializeResponseBody; import com.aliyun.teaopenapi.models.Config; public class Sample { private static Client client = null; static { try { // 构建 client client = createClient(); } catch (Exception e) { throw new RuntimeException(e); } } public static void main(String[] args) throws Exception { try { // 1.构造请求参数(本示例以Initialize接口为例,使用时请替换为您实际需要的接口) InitializeRequest request = new InitializeRequest(); request.setProductCode("***"); request.setMerchantBizId("***"); request.setMerchantUserId("***"); request.setMetaInfo("***"); request.setDocType("********"); request.setAuthorize("*"); // 2.接口调用(本示例以Initialize接口为例,使用时请替换为您实际需要的接口) InitializeResponse response = client.initialize(request); // 3.获取调用结果 Integer statusCode = response.getStatusCode();// 状态码 String code = response.getBody().getCode();// code码 InitializeResponseBody.InitializeResponseBodyResult result = response.getBody().getResult();// 返回详细内容 } catch (Exception e) { // 此处仅做打印展示,请谨慎对待异常处理,在工程项目中切勿直接忽略异常。 e.printStackTrace(); } } /** * 构建Client * @return * @throws Exception */ public static Client createClient() throws Exception { Config config = new Config(); // 设置凭据凭证 config.setCredential(getCredentialClient()); // 设置endpoint和regionId(本示例以香港为例,使用时请替换为您实际需要的endpoint) config.setEndpoint("cloudauth-intl.cn-hongkong.aliyuncs.com"); config.setRegionId("cn-hongkong"); return new Client(config); } public static com.aliyun.credentials.Client getCredentialClient() throws Exception { com.aliyun.credentials.models.Config credentialConfig = new com.aliyun.credentials.models.Config(); credentialConfig.setType("oidc_role_arn"); // RAM角色名称ARN,可以通过环境变量ALIBABA_CLOUD_ROLE_ARN设置RoleArn credentialConfig.setRoleArn("<RoleArn>"); // OIDC提供商ARN,可以通过环境变量ALIBABA_CLOUD_OIDC_PROVIDER_ARN设置OidcProviderArn credentialConfig.setOidcProviderArn("<OidcProviderArn>"); // OIDC Token文件路径,可以通过环境变量ALIBABA_CLOUD_OIDC_TOKEN_FILE设置OidcTokenFilePath credentialConfig.setOidcTokenFilePath("<OidcTokenFilePath>"); // 角色会话名称,可以通过环境变量ALIBABA_CLOUD_ROLE_SESSION_NAME设置RoleSessionName credentialConfig.setRoleSessionName("<RoleSessionName>"); // 设置更小的权限策略,非必填。示例值:{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"} credentialConfig.setPolicy("<Policy>"); // 设置session过期时间 credentialConfig.setRoleSessionExpiration(3600); return new com.aliyun.credentials.Client(credentialConfig); } }
原生http+AK
编程语言:Java
集成方式:原生HTTPS
凭据初始化方式:使用RAM子用户AK
依赖:
<dependency> <groupId>org.apache.httpcomponents</groupId> <artifactId>httpclient</artifactId> <version>4.5.13</version> </dependency> <dependency> <groupId>com.google.code.gson</groupId> <artifactId>gson</artifactId> <version>2.9.0</version> </dependency>示例代码
import com.google.gson.Gson; import com.google.gson.GsonBuilder; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpPost; import org.apache.http.client.methods.HttpUriRequest; import org.apache.http.client.utils.URIBuilder; import org.apache.http.entity.ByteArrayEntity; import org.apache.http.entity.ContentType; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; import org.apache.http.util.EntityUtils; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; import javax.xml.bind.DatatypeConverter; import java.io.IOException; import java.io.UnsupportedEncodingException; import java.net.URISyntaxException; import java.net.URLEncoder; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.text.SimpleDateFormat; import java.util.*; public class Sample { /** * 请求示例 * @param args * @throws IOException */ public static void main(String[] args) throws IOException { // 设置API名称 (本示例以Initialize接口为例,使用时请替换为您实际需要的接口) String action= "Initialize"; // IDV接口版本号固定为2022-08-09 String version= "2022-08-09"; // 设置endpoint(本示例以香港为例,使用时请替换为您实际需要的endpoint) String host = "cloudauth-intl.cn-hongkong.aliyuncs.com"; // 设置账号ak,请不要将明文AK直接写在代码中,建议从环境变量中获取,否则将导致安全漏洞 String accessKey = "<your access key id>"; String accessSecret = "<your access key secret>"; // API请求参数 (本示例以Initialize接口为例,使用时请替换为您实际需要的接口) Map<String, String> params = new HashMap<>(); params.put("MerchantBizId", "**********"); params.put("ProductCode", "**********"); params.put("MerchantUserId", "**********"); params.put("MetaInfo", "**********"); // 1、构建服务API请求 CallRequest callRequest = buildIDVCallRequest(accessKey, accessSecret, action, version, host, params); // 2、调用IDV服务API String result = callApi(callRequest); // 3、输出结果 System.out.println(result); } /** * 构造请求IDV的请求参数,仅示例参考,请根据实际情况传入。 * @return */ private static CallRequest buildIDVCallRequest(String accessKeyId, String accessKeySecret, String action, String version, String host, Map<String, String> params) { // 请求地址 String httpMethod = "POST"; String canonicalUri = "/"; CallRequest callRequest = new CallRequest(httpMethod, canonicalUri, host, action, version, accessKeyId, accessKeySecret, null); Gson gson = (new GsonBuilder()).disableHtmlEscaping().create(); callRequest.body = gson.toJson(params).getBytes(StandardCharsets.UTF_8); callRequest.headers.put("content-type", "application/json"); // 计算签名并设置 String authorization = getAuthorization(callRequest); callRequest.headers.put("Authorization", authorization); return callRequest; } private static String callApi(CallRequest callRequest) { try { // 通过HttpClient发送请求 String url = "https://" + callRequest.host + callRequest.canonicalUri; URIBuilder uriBuilder = new URIBuilder(url); // 添加请求参数 for (Map.Entry<String, Object> entry : callRequest.queryParam.entrySet()) { uriBuilder.addParameter(entry.getKey(), String.valueOf(entry.getValue())); } HttpUriRequest httpRequest; HttpPost httpPost = new HttpPost(uriBuilder.build()); if (callRequest.body != null) { httpPost.setEntity(new ByteArrayEntity(callRequest.body, ContentType.create(callRequest.headers.get("content-type")))); } httpRequest = httpPost; // 添加http请求头 for (Map.Entry<String, String> entry : callRequest.headers.entrySet()) { httpRequest.addHeader(entry.getKey(), String.valueOf(entry.getValue())); } // 发送请求 try (CloseableHttpClient httpClient = HttpClients.createDefault(); CloseableHttpResponse response = httpClient.execute(httpRequest)) { String result = EntityUtils.toString(response.getEntity(), "UTF-8"); return result; } catch (IOException e) { // 异常处理 System.out.println("Failed to send request"); e.printStackTrace(); } } catch (URISyntaxException e) { // 异常处理 System.out.println("Invalid URI syntax"); e.printStackTrace(); } return null; } /** * 该方法用于根据传入的HTTP请求方法、规范化的URI、查询参数等,计算并生成授权信息。 */ private static String getAuthorization(CallRequest callRequest) { try { // 处理queryParam中参数值为List、Map类型的参数,将参数平铺 TreeMap<String, Object> newQueryParam = new TreeMap<>(); processObject(newQueryParam, "", callRequest.queryParam); callRequest.queryParam = newQueryParam; // 步骤 1:拼接规范请求串 // 请求参数,当请求的查询字符串为空时,使用空字符串作为规范化查询字符串 StringBuilder canonicalQueryString = new StringBuilder(); callRequest.queryParam.entrySet().stream().map(entry -> percentCode(entry.getKey()) + "=" + percentCode(String.valueOf(entry.getValue()))).forEachOrdered(queryPart -> { // 如果canonicalQueryString已经不是空的,则在查询参数前添加"&" if (canonicalQueryString.length() > 0) { canonicalQueryString.append("&"); } canonicalQueryString.append(queryPart); }); // 计算请求体的哈希值 String requestPayload = ""; // 请求体,当请求正文为空时,比如GET请求,RequestPayload固定为空字符串 String hashedRequestPayload = callRequest.body != null ? sha256Hex(callRequest.body) : sha256Hex(requestPayload.getBytes(StandardCharsets.UTF_8)); callRequest.headers.put("x-acs-content-sha256", hashedRequestPayload); // 构造请求头,多个规范化消息头,按照消息头名称(小写)的字符代码顺序以升序排列后拼接在一起 StringBuilder canonicalHeaders = new StringBuilder(); // 已签名消息头列表,多个请求头名称(小写)按首字母升序排列并以英文分号(;)分隔 StringBuilder signedHeadersSb = new StringBuilder(); callRequest.headers.entrySet().stream().filter(entry -> entry.getKey().toLowerCase().startsWith("x-acs-") || "host".equalsIgnoreCase(entry.getKey()) || "content-type".equalsIgnoreCase(entry.getKey())).sorted(Map.Entry.comparingByKey()).forEach(entry -> { String lowerKey = entry.getKey().toLowerCase(); String value = String.valueOf(entry.getValue()).trim(); canonicalHeaders.append(lowerKey).append(":").append(value).append("\n"); signedHeadersSb.append(lowerKey).append(";"); }); String signedHeaders = signedHeadersSb.substring(0, signedHeadersSb.length() - 1); String canonicalRequest = callRequest.httpMethod + "\n" + callRequest.canonicalUri + "\n" + canonicalQueryString + "\n" + canonicalHeaders + "\n" + signedHeaders + "\n" + hashedRequestPayload; // 步骤 2:拼接待签名字符串 String hashedCanonicalRequest = sha256Hex(canonicalRequest.getBytes(StandardCharsets.UTF_8)); // 计算规范化请求的哈希值 String stringToSign = "ACS3-HMAC-SHA256" + "\n" + hashedCanonicalRequest; // 步骤 3:计算签名 String signature = DatatypeConverter.printHexBinary(hmac256(callRequest.accessKeySecret.getBytes(StandardCharsets.UTF_8), stringToSign)).toLowerCase(); // 步骤 4:拼接 Authorization return "ACS3-HMAC-SHA256" + " " + "Credential=" + callRequest.accessKeyId + ",SignedHeaders=" + signedHeaders + ",Signature=" + signature; } catch (Exception e) { // 异常处理 e.printStackTrace(); throw new RuntimeException("Get authorization failed.", e); } } /** * 递归处理对象,将复杂对象(如Map和List)展开为平面的键值对 * * @param map 原始的键值对集合,将被递归地更新 * @param key 当前处理的键,随着递归的深入,键会带有嵌套路径信息 * @param value 对应于键的值,可以是嵌套的Map、List或其他类型 */ private static void processObject(Map<String, Object> map, String key, Object value) { // 如果值为空,则无需进一步处理 if (value == null) { return; } if (key == null) { key = ""; } // 当值为List类型时,遍历List中的每个元素,并递归处理 if (value instanceof List<?>) { List<?> list = (List<?>) value; for (int i = 0; i < list.size(); ++i) { processObject(map, key + "." + (i + 1), list.get(i)); } } else if (value instanceof Map<?, ?>) { // 当值为Map类型时,遍历Map中的每个键值对,并递归处理 Map<?, ?> subMap = (Map<?, ?>) value; for (Map.Entry<?, ?> entry : subMap.entrySet()) { processObject(map, key + "." + entry.getKey().toString(), entry.getValue()); } } else { // 对于以"."开头的键,移除开头的"."以保持键的连续性 if (key.startsWith(".")) { key = key.substring(1); } // 对于byte[]类型的值,将其转换为UTF-8编码的字符串 if (value instanceof byte[]) { map.put(key, new String((byte[]) value, StandardCharsets.UTF_8)); } else { // 对于其他类型的值,直接转换为字符串 map.put(key, String.valueOf(value)); } } } /** * 使用HmacSHA256算法生成消息认证码(MAC)。 * * @param secretKey 密钥,用于生成MAC的密钥,必须保密。 * @param str 需要进行MAC认证的消息。 * @return 返回使用HmacSHA256算法计算出的消息认证码。 * @throws Exception 如果初始化MAC或计算MAC过程中遇到错误,则抛出异常。 */ public static byte[] hmac256(byte[] secretKey, String str) throws Exception { // 实例化HmacSHA256消息认证码生成器 Mac mac = Mac.getInstance("HmacSHA256"); // 创建密钥规范,用于初始化MAC生成器 SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey, mac.getAlgorithm()); // 初始化MAC生成器 mac.init(secretKeySpec); // 计算消息认证码并返回 return mac.doFinal(str.getBytes(StandardCharsets.UTF_8)); } /** * 使用SHA-256算法计算字符串的哈希值并以十六进制字符串形式返回。 * * @param input 需要进行SHA-256哈希计算的字节数组。 * @return 计算结果为小写十六进制字符串。 * @throws Exception 如果在获取SHA-256消息摘要实例时发生错误。 */ public static String sha256Hex(byte[] input) throws Exception { // 获取SHA-256消息摘要实例 MessageDigest md = MessageDigest.getInstance("SHA-256"); // 计算字符串s的SHA-256哈希值 byte[] d = md.digest(input); // 将哈希值转换为小写十六进制字符串并返回 return DatatypeConverter.printHexBinary(d).toLowerCase(); } /** * 对指定的字符串进行URL编码。 * 使用UTF-8编码字符集对字符串进行编码,并对特定的字符进行替换,以符合URL编码规范。 * * @param str 需要进行URL编码的字符串。 * @return 编码后的字符串。其中,加号"+"被替换为"%20",星号"*"被替换为"%2A",波浪号"%7E"被替换为"~"。 */ public static String percentCode(String str) { if (str == null) { throw new IllegalArgumentException("输入字符串不可为null"); } try { return URLEncoder.encode(str, "UTF-8").replace("+", "%20").replace("*", "%2A").replace("%7E", "~"); } catch (UnsupportedEncodingException e) { throw new RuntimeException("UTF-8编码不被支持", e); } } private static class CallRequest { // HTTP Method private final String httpMethod; // 请求路径,当资源路径为空时,使用正斜杠(/)作为CanonicalURI private final String canonicalUri; // endpoint private final String host; // API name private final String xAcsAction; // API version private final String xAcsVersion; // accessKeyId private final String accessKeyId; // accessKeySecret private final String accessKeySecret; // STS令牌,非STS鉴权方式时,该参数为空 private final String securityToken; // headers TreeMap<String, String> headers = new TreeMap<>(); // body参数对应的字节数组,请求参数在元数据中显示"in":"body"或"in": "formData",表示参数放在body中 byte[] body; // query参数,请求参数在元数据中显示"in":"query",表示参数拼接在请求URL上 TreeMap<String, Object> queryParam = new TreeMap<>(); public CallRequest(String httpMethod, String canonicalUri, String host, String xAcsAction, String xAcsVersion, String accessKeyId, String accessKeySecret, String securityToken) { this.httpMethod = httpMethod; this.canonicalUri = canonicalUri; this.host = host; this.xAcsAction = xAcsAction; this.xAcsVersion = xAcsVersion; this.accessKeyId = accessKeyId; this.accessKeySecret = accessKeySecret; this.securityToken = securityToken; initHeader(); } // init headers private void initHeader() { headers.put("host", host); headers.put("x-acs-action", xAcsAction); headers.put("x-acs-version", xAcsVersion); SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'"); sdf.setTimeZone(new SimpleTimeZone(0, "GMT")); // 设置日期格式化时区为GMT headers.put("x-acs-date", sdf.format(new Date())); headers.put("x-acs-signature-nonce", UUID.randomUUID().toString()); if (securityToken != null) { headers.put("x-acs-security-token", securityToken); } } } }
原生http+OIDCRoleArn
编程语言:Java
集成方式:原生HTTPS
凭据初始化方式:使用OIDCRoleArn
依赖:
<dependency> <groupId>org.apache.httpcomponents</groupId> <artifactId>httpclient</artifactId> <version>4.5.13</version> </dependency> <dependency> <groupId>com.google.code.gson</groupId> <artifactId>gson</artifactId> <version>2.9.0</version> </dependency> <dependency> <groupId>com.aliyun</groupId> <artifactId>sts20150401</artifactId> <version>1.1.7</version> </dependency>示例代码
import com.aliyun.sts20150401.models.AssumeRoleWithOIDCResponse; import com.aliyun.sts20150401.models.AssumeRoleWithOIDCResponseBody; import com.aliyun.tea.TeaException; import com.google.gson.Gson; import com.google.gson.GsonBuilder; import org.apache.http.client.methods.*; import org.apache.http.client.utils.URIBuilder; import org.apache.http.entity.ByteArrayEntity; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; import org.apache.http.util.EntityUtils; import org.apache.http.entity.ContentType; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; import javax.xml.bind.DatatypeConverter; import java.io.IOException; import java.io.UnsupportedEncodingException; import java.net.URISyntaxException; import java.net.URLEncoder; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.text.SimpleDateFormat; import java.util.*; public class Sample { /** * STS客户端,用于获取临时安全令牌(STS Token) */ private static com.aliyun.sts20150401.Client stsClient = null; static { com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config(); // 设置sts服务的Endpoint(本示例以日本东京为例,使用时请替换为您实际需要的endpoint) config.endpoint = "sts.ap-northeast-1.aliyuncs.com"; try { stsClient = new com.aliyun.sts20150401.Client(config); } catch (Exception e) { throw new RuntimeException(e); } } /** * 请求示例 * @param args * @throws IOException */ public static void main(String[] args) throws IOException { // 1、基于OIDC角色获取临时安全令牌(STS Token),有有效期,实际生产中可在有效期内缓存使用 AssumeRoleWithOIDCResponseBody.AssumeRoleWithOIDCResponseBodyCredentials credentials = getSTSToken(); // 设置API名称 (本示例以Initialize接口为例,使用时请替换为您实际需要的接口) String action= "Initialize"; // IDV接口版本号固定为2022-08-09 String version= "2022-08-09"; // 设置endpoint(本示例以香港为例,使用时请替换为您实际需要的endpoint) String host = "cloudauth-intl.cn-hongkong.aliyuncs.com"; // API请求参数(仅示例参考,实际开发中需要根据实际情况传入) Map<String, String> params = new HashMap<>(); params.put("MerchantBizId", "**********"); params.put("ProductCode", "**********"); params.put("MerchantUserId", "**********"); params.put("MetaInfo", "**********"); // 2、构建服务API请求 CallRequest callRequest = buildIDVCallRequest(credentials, action, version, host, params); // 3、调用IDV服务API String result = callApi(callRequest); // 4、输出结果 System.out.println(result); } /** * 构造请求IDV的请求参数,仅示例参考,请根据实际情况传入。 * @return */ private static CallRequest buildIDVCallRequest(AssumeRoleWithOIDCResponseBody.AssumeRoleWithOIDCResponseBodyCredentials credentials, String action, String version, String host, Map<String, String> params) { // 请求地址 String httpMethod = "POST"; String canonicalUri = "/"; CallRequest callRequest = new CallRequest(httpMethod, canonicalUri, host, action, version, credentials.getAccessKeyId(), credentials.getAccessKeySecret(), credentials.getSecurityToken()); Gson gson = (new GsonBuilder()).disableHtmlEscaping().create(); callRequest.body = gson.toJson(params).getBytes(StandardCharsets.UTF_8); callRequest.headers.put("content-type", "application/json"); // 计算签名并设置 String authorization = getAuthorization(callRequest); callRequest.headers.put("Authorization", authorization); return callRequest; } /** * 获取扮演角色的临时身份凭证(STS token) * STS的参考文档:https://www.alibabacloud.com/help/zh/ram/product-overview/what-is-sts * 本示例是基于AssumeRoleWithOIDC方式,另外还可以通过AssumeRole、AssumeRoleWithOIDC等获取临时身份凭证,参考文档:https://www.alibabacloud.com/help/zh/ram/developer-reference/api-sts-2015-04-01-dir-role-assuming * @return */ public static AssumeRoleWithOIDCResponseBody.AssumeRoleWithOIDCResponseBodyCredentials getSTSToken() { com.aliyun.sts20150401.models.AssumeRoleWithOIDCRequest assumeRoleWithOIDCRequest = new com.aliyun.sts20150401.models.AssumeRoleWithOIDCRequest() .setOIDCProviderArn("***") .setRoleArn("***") .setDurationSeconds(3600L) .setOIDCToken("***") .setRoleSessionName("***"); com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions(); try { // 复制代码运行请自行打印 API 的返回值 AssumeRoleWithOIDCResponse assumeRoleWithOIDCResponse = stsClient.assumeRoleWithOIDCWithOptions(assumeRoleWithOIDCRequest, runtime); return assumeRoleWithOIDCResponse.body.credentials; } catch (TeaException error) { // 此处仅做打印展示,请谨慎对待异常处理,在工程项目中切勿直接忽略异常。 // 错误 message System.out.println(error.getMessage()); // 诊断地址 System.out.println(error.getData().get("Recommend")); com.aliyun.teautil.Common.assertAsString(error.message); throw new RuntimeException(error); } catch (Exception _error) { TeaException error = new TeaException(_error.getMessage(), _error); // 此处仅做打印展示,请谨慎对待异常处理,在工程项目中切勿直接忽略异常。 // 错误 message System.out.println(error.getMessage()); // 诊断地址 System.out.println(error.getData().get("Recommend")); com.aliyun.teautil.Common.assertAsString(error.message); throw new RuntimeException(error); } } private static String callApi(CallRequest callRequest) { try { // 通过HttpClient发送请求 String url = "https://" + callRequest.host + callRequest.canonicalUri; URIBuilder uriBuilder = new URIBuilder(url); // 添加请求参数 for (Map.Entry<String, Object> entry : callRequest.queryParam.entrySet()) { uriBuilder.addParameter(entry.getKey(), String.valueOf(entry.getValue())); } HttpUriRequest httpRequest; HttpPost httpPost = new HttpPost(uriBuilder.build()); if (callRequest.body != null) { httpPost.setEntity(new ByteArrayEntity(callRequest.body, ContentType.create(callRequest.headers.get("content-type")))); } httpRequest = httpPost; // 添加http请求头 for (Map.Entry<String, String> entry : callRequest.headers.entrySet()) { httpRequest.addHeader(entry.getKey(), String.valueOf(entry.getValue())); } // 发送请求 try (CloseableHttpClient httpClient = HttpClients.createDefault(); CloseableHttpResponse response = httpClient.execute(httpRequest)) { String result = EntityUtils.toString(response.getEntity(), "UTF-8"); return result; } catch (IOException e) { // 异常处理 System.out.println("Failed to send request"); e.printStackTrace(); } } catch (URISyntaxException e) { // 异常处理 System.out.println("Invalid URI syntax"); e.printStackTrace(); } return null; } /** * 该方法用于根据传入的HTTP请求方法、规范化的URI、查询参数等,计算并生成授权信息。 */ private static String getAuthorization(CallRequest callRequest) { try { // 处理queryParam中参数值为List、Map类型的参数,将参数平铺 TreeMap<String, Object> newQueryParam = new TreeMap<>(); processObject(newQueryParam, "", callRequest.queryParam); callRequest.queryParam = newQueryParam; // 步骤 1:拼接规范请求串 // 请求参数,当请求的查询字符串为空时,使用空字符串作为规范化查询字符串 StringBuilder canonicalQueryString = new StringBuilder(); callRequest.queryParam.entrySet().stream().map(entry -> percentCode(entry.getKey()) + "=" + percentCode(String.valueOf(entry.getValue()))).forEachOrdered(queryPart -> { // 如果canonicalQueryString已经不是空的,则在查询参数前添加"&" if (canonicalQueryString.length() > 0) { canonicalQueryString.append("&"); } canonicalQueryString.append(queryPart); }); // 计算请求体的哈希值 String requestPayload = ""; // 请求体,当请求正文为空时,比如GET请求,RequestPayload固定为空字符串 String hashedRequestPayload = callRequest.body != null ? sha256Hex(callRequest.body) : sha256Hex(requestPayload.getBytes(StandardCharsets.UTF_8)); callRequest.headers.put("x-acs-content-sha256", hashedRequestPayload); // 构造请求头,多个规范化消息头,按照消息头名称(小写)的字符代码顺序以升序排列后拼接在一起 StringBuilder canonicalHeaders = new StringBuilder(); // 已签名消息头列表,多个请求头名称(小写)按首字母升序排列并以英文分号(;)分隔 StringBuilder signedHeadersSb = new StringBuilder(); callRequest.headers.entrySet().stream().filter(entry -> entry.getKey().toLowerCase().startsWith("x-acs-") || "host".equalsIgnoreCase(entry.getKey()) || "content-type".equalsIgnoreCase(entry.getKey())).sorted(Map.Entry.comparingByKey()).forEach(entry -> { String lowerKey = entry.getKey().toLowerCase(); String value = String.valueOf(entry.getValue()).trim(); canonicalHeaders.append(lowerKey).append(":").append(value).append("\n"); signedHeadersSb.append(lowerKey).append(";"); }); String signedHeaders = signedHeadersSb.substring(0, signedHeadersSb.length() - 1); String canonicalRequest = callRequest.httpMethod + "\n" + callRequest.canonicalUri + "\n" + canonicalQueryString + "\n" + canonicalHeaders + "\n" + signedHeaders + "\n" + hashedRequestPayload; // 步骤 2:拼接待签名字符串 String hashedCanonicalRequest = sha256Hex(canonicalRequest.getBytes(StandardCharsets.UTF_8)); // 计算规范化请求的哈希值 String stringToSign = "ACS3-HMAC-SHA256" + "\n" + hashedCanonicalRequest; // 步骤 3:计算签名 String signature = DatatypeConverter.printHexBinary(hmac256(callRequest.accessKeySecret.getBytes(StandardCharsets.UTF_8), stringToSign)).toLowerCase(); // 步骤 4:拼接 Authorization return "ACS3-HMAC-SHA256" + " " + "Credential=" + callRequest.accessKeyId + ",SignedHeaders=" + signedHeaders + ",Signature=" + signature; } catch (Exception e) { // 异常处理 e.printStackTrace(); throw new RuntimeException("Get authorization failed.", e); } } /** * 递归处理对象,将复杂对象(如Map和List)展开为平面的键值对 * * @param map 原始的键值对集合,将被递归地更新 * @param key 当前处理的键,随着递归的深入,键会带有嵌套路径信息 * @param value 对应于键的值,可以是嵌套的Map、List或其他类型 */ private static void processObject(Map<String, Object> map, String key, Object value) { // 如果值为空,则无需进一步处理 if (value == null) { return; } if (key == null) { key = ""; } // 当值为List类型时,遍历List中的每个元素,并递归处理 if (value instanceof List<?>) { List<?> list = (List<?>) value; for (int i = 0; i < list.size(); ++i) { processObject(map, key + "." + (i + 1), list.get(i)); } } else if (value instanceof Map<?, ?>) { // 当值为Map类型时,遍历Map中的每个键值对,并递归处理 Map<?, ?> subMap = (Map<?, ?>) value; for (Map.Entry<?, ?> entry : subMap.entrySet()) { processObject(map, key + "." + entry.getKey().toString(), entry.getValue()); } } else { // 对于以"."开头的键,移除开头的"."以保持键的连续性 if (key.startsWith(".")) { key = key.substring(1); } // 对于byte[]类型的值,将其转换为UTF-8编码的字符串 if (value instanceof byte[]) { map.put(key, new String((byte[]) value, StandardCharsets.UTF_8)); } else { // 对于其他类型的值,直接转换为字符串 map.put(key, String.valueOf(value)); } } } /** * 使用HmacSHA256算法生成消息认证码(MAC)。 * * @param secretKey 密钥,用于生成MAC的密钥,必须保密。 * @param str 需要进行MAC认证的消息。 * @return 返回使用HmacSHA256算法计算出的消息认证码。 * @throws Exception 如果初始化MAC或计算MAC过程中遇到错误,则抛出异常。 */ public static byte[] hmac256(byte[] secretKey, String str) throws Exception { // 实例化HmacSHA256消息认证码生成器 Mac mac = Mac.getInstance("HmacSHA256"); // 创建密钥规范,用于初始化MAC生成器 SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey, mac.getAlgorithm()); // 初始化MAC生成器 mac.init(secretKeySpec); // 计算消息认证码并返回 return mac.doFinal(str.getBytes(StandardCharsets.UTF_8)); } /** * 使用SHA-256算法计算字符串的哈希值并以十六进制字符串形式返回。 * * @param input 需要进行SHA-256哈希计算的字节数组。 * @return 计算结果为小写十六进制字符串。 * @throws Exception 如果在获取SHA-256消息摘要实例时发生错误。 */ public static String sha256Hex(byte[] input) throws Exception { // 获取SHA-256消息摘要实例 MessageDigest md = MessageDigest.getInstance("SHA-256"); // 计算字符串s的SHA-256哈希值 byte[] d = md.digest(input); // 将哈希值转换为小写十六进制字符串并返回 return DatatypeConverter.printHexBinary(d).toLowerCase(); } /** * 对指定的字符串进行URL编码。 * 使用UTF-8编码字符集对字符串进行编码,并对特定的字符进行替换,以符合URL编码规范。 * * @param str 需要进行URL编码的字符串。 * @return 编码后的字符串。其中,加号"+"被替换为"%20",星号"*"被替换为"%2A",波浪号"%7E"被替换为"~"。 */ public static String percentCode(String str) { if (str == null) { throw new IllegalArgumentException("输入字符串不可为null"); } try { return URLEncoder.encode(str, "UTF-8").replace("+", "%20").replace("*", "%2A").replace("%7E", "~"); } catch (UnsupportedEncodingException e) { throw new RuntimeException("UTF-8编码不被支持", e); } } private static class CallRequest { // HTTP Method private final String httpMethod; // 请求路径,当资源路径为空时,使用正斜杠(/)作为CanonicalURI private final String canonicalUri; // endpoint private final String host; // API name private final String xAcsAction; // API version private final String xAcsVersion; // accessKeyId private final String accessKeyId; // accessKeySecret private final String accessKeySecret; // STS令牌,非STS鉴权方式时,该参数为空 private final String securityToken; // headers TreeMap<String, String> headers = new TreeMap<>(); // body参数对应的字节数组,请求参数在元数据中显示"in":"body"或"in": "formData",表示参数放在body中 byte[] body; // query参数,请求参数在元数据中显示"in":"query",表示参数拼接在请求URL上 TreeMap<String, Object> queryParam = new TreeMap<>(); public CallRequest(String httpMethod, String canonicalUri, String host, String xAcsAction, String xAcsVersion, String accessKeyId, String accessKeySecret, String securityToken) { this.httpMethod = httpMethod; this.canonicalUri = canonicalUri; this.host = host; this.xAcsAction = xAcsAction; this.xAcsVersion = xAcsVersion; this.accessKeyId = accessKeyId; this.accessKeySecret = accessKeySecret; this.securityToken = securityToken; initHeader(); } // init headers private void initHeader() { headers.put("host", host); headers.put("x-acs-action", xAcsAction); headers.put("x-acs-version", xAcsVersion); SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'"); sdf.setTimeZone(new SimpleTimeZone(0, "GMT")); // 设置日期格式化时区为GMT headers.put("x-acs-date", sdf.format(new Date())); headers.put("x-acs-signature-nonce", UUID.randomUUID().toString()); if (securityToken != null) { headers.put("x-acs-security-token", securityToken); } } } }