Authentication of Signature Carried in the Table Uploaded Through a Browser
OBS supports browser-based object upload using the POST method. Signatures of such requests are uploaded in tables. First, create a security policy and specify the requirements in the request, for example, bucket name and object name prefix. Then, create a signature based on this policy. The request form to be signed must contain valid signature and policy. Finally, create a table to upload the object to the bucket.
The process of calculating a signature is as follows:
- Encode the policy content in UTF-8.
- Encode the result of 1 in Base64.
- Use the SK to calculate the HMAC-SHA1 signature on the result of 2.
- Encode the result of 3 in Base64 to obtain the signature.
StringToSign = Base64( UTF-8-Encoding-Of( policy ) ) Signature = Base64( HMAC-SHA1( YourSecretAccessKeyID, StringToSign ) )
The content of the policy is as follows:
{ "expiration": "2017-12-31T12:00:00.000Z", "conditions": [ {"x-obs-acl": "public-read" }, {"x-obs-security-token": "YwkaRTbdY8g7q...." }, {"bucket": "book" }, ["starts-with", "$key", "user/"] ] }
The policy contains the validity period (see Expiration) and conditions (see Conditions).
Expiration
The expiration field describes when the signature will expire, which is expressed in the format according to ISO 8601 UTC. For example, expiration: 2017-12-31T12:00:00.000Z in the example means that the request becomes invalid after 12:00:00 on December 31, 2017. This field must be specified in a policy. It can only be in the yyyy-MM-dd'T'HH:mm:ss'Z' or yyyy-MM-dd'T'HH:mm:ss.SSS'Z' format.
Conditions
A mechanism used to verify the validity of a request. Conditions are used to define the content that must be contained in a request. In the example, the requested bucket name is book, the object name is prefixed with user/, and the ACL of the object is public read. All items in the form, excluding AccessKeyId, signature, file, policy, token, field names, and the prefix x-ignore-, must be included in the policy. The following table lists the items that should be contained in Conditions.
Element |
Description |
---|---|
x-obs-acl |
ACL in the request. Supports exact match and conditional match such as starts-with. |
content-length-range |
Maximum and minimum length of an object to be uploaded. The value can be a range. |
Cache-Control, Content-Type, Content-Disposition, Content-Encoding, Expires |
Headers specially for REST requests Supports exact match and conditional match such as starts-with. |
key |
Name of an object to be uploaded. Supports exact match and conditional match such as starts-with. |
bucket |
Name of the requested bucket. Supports exact match. |
success_action_redirect |
Redirection address after the upload is successful. For details, see Uploading an Object - POST. Supports exact match and conditional match such as starts-with. |
success_action_status |
If success_action_redirect is not specified, the status code is returned to the client when the upload is successful. For details, see Uploading an Object - POST. Supports exact match. |
x-obs-meta-* |
User-defined metadata. Keywords in an element cannot contain non-ASCII or unrecognizable characters. If non-ASCII or unrecognizable characters are necessary, they should be encoded and decoded on the client side. Either URL encoding or Base64 encoding is acceptable, but the server does not perform decoding. Supports exact match and conditional match such as starts-with. |
x-obs-* |
Other header fields with prefix x-obs-. Supports exact match and conditional match such as starts-with. |
x-obs-security-token |
Field name in the request header. Mandatory field for the temporary AK/SK and security token authentication. For details about how to obtain a temporary access key and security token, see Obtaining a Temporary Access Key and Security Token Through a Token. |
The table below describes how policy conditions can be matched.
Matching Method |
Description |
---|---|
Exact Matches |
Exact match by default. The value in the POST table must be the same as that in the policy. For example, if object ACL is set to public-read when the object is uploaded, the value of the x-obs-acl element in the table is public-read. Therefore, the conditions in the policy can be set to {"x-obs-acl": "public-read"} or ["eq", "$x-obs-acl", "public-read"], which are equivalent. |
Starts With |
If this condition is used, the value set in the POST table must start with a fixed character string. For example, if the name of uploaded objects must be prefixed with user/, the value of the key element in the table can be user/test1, user/test2, and so on. Therefore, conditions in the policy can be set to: ["starts-with", "$key", "user/"] |
Matching Any Content |
The corresponding element in the POST table can be any value. For example, if the redirection address upon request success can be any address, the value of the success_action_redirect element in the table can be any value. Therefore, conditions in the policy can be set to: ["starts-with", "$success_action_redirect", ""] |
Specifying Ranges |
The content length of the file element in the POST table can be a specified range and is used only to limit the object size. For example, if the size of the uploaded object is between 1 MB to 10 MB, the content length of the file element in the table can be from 1048576 to 10485760. Therefore, conditions in the policy can be set to (the value does not contain quotation marks) ["content-length-range", 1048576, 10485760] |
A policy is in the JSON format. Conditions can be put in curly brackets {} and square brackets []. The key and value elements of the table are written in the curly brackets {}, which are separated by colons (:). The square brackets [] contain the condition type, key, and value. These three items are separated by commas (,). The dollar sign ($) in front of the key indicates that the key is a variable.
The table below lists the characters that must be escaped in a policy.
Character After Escape |
Real Character |
---|---|
\\ |
Backslash (\) |
\$ |
Dollar symbol ($) |
\b |
Backspace |
\f |
Page up and down |
\n |
Newline characters |
\r |
Enter |
\t |
Horizontal table |
\v |
Vertical table |
\uxxxx |
All Unicode characters |
Request and Policy Examples
The following tables provide examples of requests and policies.
Example 1: Upload the testfile.txt object to bucket examplebucket and set the object ACL to public-read.
Request |
Policy |
---|---|
POST / HTTP/1.1 Host: examplebucket.obs.eu-west-101.myhuaweicloud.eu Content-Type: multipart/form-data; boundary=7e32233530b26 Content-Length: 1250 --7e32233530b26 Content-Disposition: form-data; name="key" testfile.txt --7e32233530b26 Content-Disposition: form-data; name="x-obs-acl" public-read --7e32233530b26 Content-Disposition: form-data; name="content-type" text/plain --7e32233530b26 Content-Disposition: form-data; name="AccessKeyId" UDSIAMSTUBTEST000002 --7e32233530b26 Content-Disposition: form-data; name="policy" ewogICJleHBpcmF0aW9uIjogIjIwMTktMDctMDFUMTI6MDA6MDAuMDAwWiIsCiAgImNvbmRpdGlvbnMiOiBbCiAgICB7ImJ1Y2tldCI6ICJleGFtcGxlYnVja2V0IiB9LAogICAgWyJlcSIsICIka2V5IiwgInRlc3RmaWxlLnR4dCJdLAoJeyJ4LW9icy1hY2wiOiAicHVibGljLXJlYWQiIH0sCiAgICBbImVxIiwgIiRDb250ZW50LVR5cGUiLCAidGV4dC9wbGFpbiJdLAogICAgWyJjb250ZW50LWxlbmd0aC1yYW5nZSIsIDYsIDEwXQogIF0KfQo= --7e32233530b26 Content-Disposition: form-data; name="signature" xxl7bZs/5FgtBUggOdQ88DPZUo0= --7e32233530b26 Content-Disposition: form-data; name="file"; filename="E:\TEST_FILE\TEST.txt" Content-Type: text/plain 123456 --7e32233530b26 Content-Disposition: form-data; name="submit" Upload --7e32233530b26-- |
{ "expiration": "2019-07-01T12:00:00.000Z", "conditions": [ {"bucket": "examplebucket" }, ["eq", "$key", "testfile.txt"], {"x-obs-acl": "public-read" }, ["eq", "$Content-Type", "text/plain"] ] } |
Example 2: Upload the file/obj1 object to bucket examplebucket and configure the four custom metadata items of the object.
Request |
Policy |
---|---|
POST / HTTP/1.1 Host: examplebucket.obs.eu-west-101.myhuaweicloud.eu Content-Type: multipart/form-data; boundary=7e329d630b26 Content-Length: 1597 --7e3542930b26 Content-Disposition: form-data; name="key" file/obj1 --7e3542930b26 Content-Disposition: form-data; name="AccessKeyId" UDSIAMSTUBTEST000002 --7e3542930b26 Content-Disposition: form-data; name="policy" ewogICJleHBpcmF0aW9uIjogIjIwMTktMDctMDFUMTI6MDA6MDAuMDAwWiIsCiAgImNvbmRpdGlvbnMiOiBbCiAgICB7ImJ1Y2tldCI6ICJleGFtcGxlYnVja2V0IiB9LAogICAgWyJzdGFydHMtd2l0aCIsICIka2V5IiwgImZpbGUvIl0sCiAgICB7Ingtb2JzLW1ldGEtdGVzdDEiOiJ2YWx1ZTEifSwKICAgIFsiZXEiLCAiJHgtb2JzLW1ldGEtdGVzdDIiLCAidmFsdWUyIl0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiR4LW9icy1tZXRhLXRlc3QzIiwgImRvYyJdLAogICAgWyJzdGFydHMtd2l0aCIsICIkeC1vYnMtbWV0YS10ZXN0NCIsICIiXQogIF0KfQo= --7e3542930b26 Content-Disposition: form-data; name="signature" HTId8hcaisn6FfdWKqSJP9RN4Oo= --7e3542930b26 Content-Disposition: form-data; name="x-obs-meta-test1" value1 --7e3542930b26 Content-Disposition: form-data; name="x-obs-meta-test2" value2 --7e3542930b26 Content-Disposition: form-data; name="x-obs-meta-test3" doc123 --7e3542930b26 Content-Disposition: form-data; name="x-obs-meta-test4" my --7e3542930b26 Content-Disposition: form-data; name="file"; filename="E:\TEST_FILE\TEST.txt" Content-Type: text/plain 123456 --7e3542930b26 Content-Disposition: form-data; name="submit" Upload --7e3542930b26-- |
{ "expiration": "2019-07-01T12:00:00.000Z", "conditions": [ {"bucket": "examplebucket" }, ["starts-with", "$key", "file/"], {"x-obs-meta-test1":"value1"}, ["eq", "$x-obs-meta-test2", "value2"], ["starts-with", "$x-obs-meta-test3", "doc"], ["starts-with", "$x-obs-meta-test4", ""] ] } |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.