Prev Next

Authenticating Query Requests

Every Query request requires a signature as computed in the previous section. The string signature is then placed as the value for the query parameter Signature in the URL being constructed. The string used to compute the hash is constructed using one of two methods explained below.

Signature Version 1

This is the recommended or safer method of signing requests. This version would catch spoofing of any of the request parameters.

To calculate a signature (version 1)

  1. Sort all query parameters (including SignatureVersion and excluding Signature, the value of which is being created), ignoring case. Optional parameters not included in the request should not be canonicalized as "empty" parameters. That is, if no value for a ParameterA is specified in the request, there should not be a ParameterA entry in the canonicalized string.
  2. Iterate over the sorted list and append the parameter name (in original case) and then its value. Do not URL-encode the parameter values before constructing this string. There are no separators. An example is shown below along with a Java code sample to construct the string.

    Example 

    Param-name1Param-value1Param-name2Param-value2...Param-nameNParam-valueN

    Example 

    StringBuilder stringBuilder = new StringBuilder();
/*
 * Assumes parameters are in a HashMap named paramMap
 * where the key is the parameter name.
 */
paramSet = paramMap.keySet();
List<String> params = new ArrayList<String>(paramSet.size());
for (String param : params) 
{
    // Don't include Signature in stringToSign
    if(param.equals(AWSRequestImpl.SIGNATURE_STR))
        continue;

    params.add(param);
}

Collections.sort(params, String.CASE_INSENSITIVE_ORDER);
            
for(String param : params) 
{
   stringBuilder.append(param);
   stringBuilder.append(paramMap.get(param));
}

System.out.println("String to sign : " + stringBuilder.toString());

Signature Version 0

Signature Version 0 is a less secure but simpler method to sign requests. To compute the string to sign, simply concatenate the action specified in the Action query parameter and the value of the Timestamp query parameter. The SignatureVersion query parameter is not necessary when using this version.

Note:

For both Signature Versions 0 and 1, do not URL-encode the concatenated string before computing the signature. URL encoding should be performed for the computed signature and other query parameters as specified in RFC1738, section 2.2. In addition, make sure to encode the + character although it is not required by RFC1738. This is required because the + character is interpreted as a blank space by Sun Java classes that do URL-decoding.

Prev Copyright Information Next