Create a URL signature using Java
In addition to the following code example, you can use the CloudFrontUrlSigner utility class in the Amazon SDK for Java (version
1) to create CloudFront signed
URLs.
For more examples, see Create signed URLs and cookies using an Amazon SDK in the Amazon SDK Code Examples Code Library.
Notes
-
Creating a signed URL is just one part of the process of serving private content with CloudFront. For more information about the entire process, see Use signed URLs.
-
In the
Signature.getInstancecall, note thatSHA1withRSAcan be replaced withSHA256withRSA.
Example Java policy and signature encryption methods
package org.example; import java.time.Instant; import java.time.temporal.ChronoUnit; import software.amazon.awssdk.services.cloudfront.CloudFrontUtilities; import software.amazon.awssdk.services.cloudfront.model.CannedSignerRequest; import software.amazon.awssdk.services.cloudfront.url.SignedUrl; public class Main { public static void main(String[] args) throws Exception { CloudFrontUtilities cloudFrontUtilities = CloudFrontUtilities.create(); Instant expirationDate = Instant.now().plus(7, ChronoUnit.DAYS); String resourceUrl = "https://a1b2c3d4e5f6g7.cloudfront.net"; String keyPairId = "K1UA3WV15I7JSD"; CannedSignerRequest cannedRequest = CannedSignerRequest.builder() .resourceUrl(resourceUrl) .privateKey(new java.io.File("/path/to/private_key.pem").toPath()) .keyPairId(keyPairId) .expirationDate(expirationDate) .build(); SignedUrl signedUrl = cloudFrontUtilities.getSignedUrlWithCannedPolicy(cannedRequest); String url = signedUrl.url(); System.out.println(url); } }
Example Canned Policy Signing with SHA256 in Java
package org.example; import java.io.File; import java.nio.file.Files; import java.security.KeyFactory; import java.security.PrivateKey; import java.security.Signature; import java.security.spec.PKCS8EncodedKeySpec; import java.time.Instant; import java.time.temporal.ChronoUnit; import java.util.Base64; public class Main { public static void main(String[] args) throws Exception { String resourceUrl = "https://a1b2c3d4e5f6g7.cloudfront.net/myfile.html"; String keyPairId = "K1UA3WV15I7JSD"; Instant expiration = Instant.now().plus(7, ChronoUnit.DAYS); PrivateKey privateKey = loadPrivateKey("/path/to/private_key.der"); System.out.println(createSignedUrl(resourceUrl, keyPairId, privateKey, expiration, "SHA1")); System.out.println(createSignedUrl(resourceUrl, keyPairId, privateKey, expiration, "SHA256")); } static String createSignedUrl(String resourceUrl, String keyPairId, PrivateKey privateKey, Instant expiration, String hashAlgorithm) throws Exception { long epochSeconds = expiration.getEpochSecond(); String policy = "{\"Statement\":[{\"Resource\":\"" + resourceUrl + "\",\"Condition\":{\"DateLessThan\":{\"AWS:EpochTime\":" + epochSeconds + "}}}]}"; String jcaAlgorithm = hashAlgorithm.equals("SHA256") ? "SHA256withRSA" : "SHA1withRSA"; Signature sig = Signature.getInstance(jcaAlgorithm); sig.initSign(privateKey); sig.update(policy.getBytes("UTF-8")); String signature = base64UrlEncode(sig.sign()); String url = resourceUrl + (resourceUrl.contains("?") ? "&" : "?") + "Expires=" + epochSeconds + "&Signature=" + signature + "&Key-Pair-Id=" + keyPairId; if (hashAlgorithm.equals("SHA256")) { url += "&Hash-Algorithm=SHA256"; } return url; } static String base64UrlEncode(byte[] bytes) { return Base64.getEncoder().encodeToString(bytes) .replace('+', '-') .replace('=', '_') .replace('/', '~'); } static PrivateKey loadPrivateKey(String path) throws Exception { byte[] keyBytes = Files.readAllBytes(new File(path).toPath()); return KeyFactory.getInstance("RSA") .generatePrivate(new PKCS8EncodedKeySpec(keyBytes)); } }
See also: