Help Center/ Object Storage Service/ API Reference (ME-Abu Dhabi Region)/ Calling APIs/ Authentication/ Authentication of Signature Carried in the Table Uploaded Through a Browser
Updated on 2024-01-02 GMT+08:00

Authentication of Signature Carried in the Table Uploaded Through a Browser

OBS supports browser-based object upload using the POST method. Signatures of such requests are uploaded in tables. First, create a security policy and specify the requirements in the request, for example, Bucket name and object name prefix. Then, create a signature based on this policy. The request form to be signed must contain valid signature and policy. Finally, create a table to upload the object to the bucket.

The signature calculation process is as follows:

  1. The policy content is encoded in UTF-8 format.
  2. Perform Base64 encoding on the result obtained from the preceding step.
  3. Use the SK to perform the HMAC-SHA1 signature calculation on the result obtained from step 2.
  4. Perform Base64 encoding on the result of step 3 to obtain the signature.
StringToSign = Base64( UTF-8-Encoding-Of( policy ) )
Signature = Base64( HMAC-SHA1( YourSecretAccessKeyID, StringToSign ) )

The content of the policy is as follows:
{ "expiration": "2017-12-31T12:00:00.000Z",
  "conditions": [
    {"x-obs-acl": "public-read" },
    {"x-obs-security-token": "YwkaRTbdY8g7q...." },
    {"bucket": "book" },
    ["starts-with", "$key", "user/"]
  ]
}

The policy contains the validity period (see Expiration) and conditions (see Conditions).

Expiration

The expiration field describes when the signature will expire, which is expressed in the format according to ISO 8601 UTC. For example, expiration: 2017-12-31T12:00:00.000Z in the example means that the request becomes invalid after 12:00:00 on December 31, 2017. This field must be specified in a policy. It can only be in the yyyy-MM-dd'T'HH:mm:ss'Z' or yyyy-MM-dd'T'HH:mm:ss.SSS'Z' format.

Conditions

A mechanism used to verify the validity of a request. Conditions are used to define the content that must be contained in a request. In the example, the requested bucket name is book, the object name is prefixed with user/, and the ACL of the object is public read. All items in the form, excluding AccessKeyId, signature, file, policy, token, field names, and the prefix x-ignore-, must be included in the policy. The following table lists the items that should be contained in Conditions.

Table 1 Conditions contained in a policy

Element

Description

x-obs-acl

ACL in the request.

Supports exact match and conditional match such as starts-with.

content-length-range

Maximum and minimum length of an object to be uploaded. The value can be a range.

Cache-Control, Content-Type, Content-Disposition, Content-Encoding, Expires

Headers specially for REST requests

Supports exact match and conditional match such as starts-with.

key

Name of an object to be uploaded.

Supports exact match and conditional match such as starts-with.

bucket

Name of the requested bucket.

Supports exact match.

success_action_redirect

Redirection address after the upload is successful. For details, see Uploading Objects - POST.

Supports exact match and conditional match such as starts-with.

success_action_status

If success_action_redirect is not specified, the status code is returned to the client when the upload is successful. For details, see Uploading Objects - POST.

Supports exact match.

x-obs-meta-*

User-defined metadata.

Keywords in an element cannot contain non-ASCII or unrecognizable characters. If non-ASCII or unrecognizable characters are necessary, they should be encoded and decoded on the client side. Either URL encoding or Base64 encoding is acceptable, but the server does not perform decoding.

Supports exact match and conditional match such as starts-with.

x-obs-*

Other header fields with prefix x-obs-.

Supports exact match and conditional match such as starts-with.

x-obs-security-token

Field name in the request header.

Mandatory field for the temporary AK/SK and security token authentication.

The table below describes how policy conditions can be matched.

Table 2 Policy condition matching methods

Matching Method

Description

Exact Matches

Exact match by default. The value in the POST table must be the same as that in the policy. For example, if object ACL is set to public-read when the object is uploaded, the value of the x-obs-acl element in the table is public-read. Therefore, the conditions in the policy can be set to

{"x-obs-acl": "public-read"} or ["eq", "$x-obs-acl", "public-read"], which are equivalent.

Starts With

If this condition is used, the value set in the POST table must start with a fixed character string. For example, if the name of uploaded objects must be prefixed with user/, the value of the key element in the table can be user/test1, user/test2, and so on. Therefore, conditions in the policy can be set to:

["starts-with", "$key", "user/"]

Matching Any Content

The corresponding element in the POST table can be any value. For example, if the redirection address upon request success can be any address, the value of the success_action_redirect element in the table can be any value. Therefore, conditions in the policy can be set to:

["starts-with", "$success_action_redirect", ""]

Specifying Ranges

The content length of the file element in the POST table can be a specified range and is used only to limit the object size. For example, if the size of the uploaded object is between 1 MB to 10 MB, the content length of the file element in the table can be from 1048576 to 10485760. Therefore, conditions in the policy can be set to (the value does not contain quotation marks)

["content-length-range", 1048576, 10485760]

A policy is in the JSON format. Conditions can be put in curly brackets {} and square brackets []. The key and value elements of the table are written in the curly brackets {}, which are separated by colons (:). The square brackets [] contain the condition type, key, and value. These three items are separated by commas (,). The dollar sign ($) in front of the key indicates that the key is a variable.

The table below lists the characters that must be escaped in a policy.

Table 3 Characters that must be escaped in a policy

Character After Escape

Real Character

\\

Backslash (\)

\$

Dollar symbol ($)

\b

Backspace

\f

Page up and down

\n

Line breaks

\r

Enter

\t

Horizontal table

\v

Vertical table

\uxxxx

All Unicode characters

Request and Policy Examples

The following tables provide examples of requests and policies.

Example 1: Upload the testfile.txt object to bucket examplebucket and set the object ACL to public-read.

Request

policy

POST / HTTP/1.1

Host: examplebucket.obs.region.example.com

Content-Type: multipart/form-data; boundary=7e32233530b26

Content-Length: 1250

--7e32233530b26

Content-Disposition: form-data; name="key"

testfile.txt

--7e32233530b26

Content-Disposition: form-data; name="x-obs-acl"

public-read

--7e32233530b26

Content-Disposition: form-data; name="content-type"

text/plain

--7e32233530b26

Content-Disposition: form-data; name="AccessKeyId"

UDSIAMSTUBTEST000002

--7e32233530b26

Content-Disposition: form-data; name="policy"

ewogICJleHBpcmF0aW9uIjogIjIwMTktMDctMDFUMTI6MDA6MDAuMDAwWiIsCiAgImNvbmRpdGlvbnMiOiBbCiAgICB7ImJ1Y2tldCI6ICJleGFtcGxlYnVja2V0IiB9LAogICAgWyJlcSIsICIka2V5IiwgInRlc3RmaWxlLnR4dCJdLAoJeyJ4LW9icy1hY2wiOiAicHVibGljLXJlYWQiIH0sCiAgICBbImVxIiwgIiRDb250ZW50LVR5cGUiLCAidGV4dC9wbGFpbiJdLAogICAgWyJjb250ZW50LWxlbmd0aC1yYW5nZSIsIDYsIDEwXQogIF0KfQo=

--7e32233530b26

Content-Disposition: form-data; name="signature"

xxl7bZs/5FgtBUggOdQ88DPZUo0=

--7e32233530b26

Content-Disposition: form-data; name="file"; filename="E:\TEST_FILE\TEST.txt"

Content-Type: text/plain

123456

--7e32233530b26

Content-Disposition: form-data; name="submit"

Upload

--7e32233530b26--

{

"expiration": "2019-07-01T12:00:00.000Z",

"conditions": [

{"bucket": "examplebucket" },

["eq", "$key", "testfile.txt"],

{"x-obs-acl": "public-read" },

["eq", "$Content-Type", "text/plain"]

]

}

Example 2: Upload the file/obj1 object to bucket examplebucket and configure the four custom metadata items of the object.

Request

policy

POST / HTTP/1.1

Host: examplebucket.obs.region.example.com

Content-Type: multipart/form-data; boundary=7e329d630b26

Content-Length: 1597

--7e3542930b26

Content-Disposition: form-data; name="key"

file/obj1

--7e3542930b26

Content-Disposition: form-data; name="AccessKeyId"

UDSIAMSTUBTEST000002

--7e3542930b26

Content-Disposition: form-data; name="policy"

ewogICJleHBpcmF0aW9uIjogIjIwMTktMDctMDFUMTI6MDA6MDAuMDAwWiIsCiAgImNvbmRpdGlvbnMiOiBbCiAgICB7ImJ1Y2tldCI6ICJleGFtcGxlYnVja2V0IiB9LAogICAgWyJzdGFydHMtd2l0aCIsICIka2V5IiwgImZpbGUvIl0sCiAgICB7Ingtb2JzLW1ldGEtdGVzdDEiOiJ2YWx1ZTEifSwKICAgIFsiZXEiLCAiJHgtb2JzLW1ldGEtdGVzdDIiLCAidmFsdWUyIl0sCiAgICBbInN0YXJ0cy13aXRoIiwgIiR4LW9icy1tZXRhLXRlc3QzIiwgImRvYyJdLAogICAgWyJzdGFydHMtd2l0aCIsICIkeC1vYnMtbWV0YS10ZXN0NCIsICIiXQogIF0KfQo=

--7e3542930b26

Content-Disposition: form-data; name="signature"

HTId8hcaisn6FfdWKqSJP9RN4Oo=

--7e3542930b26

Content-Disposition: form-data; name="x-obs-meta-test1"

value1

--7e3542930b26

Content-Disposition: form-data; name="x-obs-meta-test2"

value2

--7e3542930b26

Content-Disposition: form-data; name="x-obs-meta-test3"

doc123

--7e3542930b26

Content-Disposition: form-data; name="x-obs-meta-test4"

my

--7e3542930b26

Content-Disposition: form-data; name="file"; filename="E:\TEST_FILE\TEST.txt"

Content-Type: text/plain

123456

--7e3542930b26

Content-Disposition: form-data; name="submit"

Upload

--7e3542930b26--

{

"expiration": "2019-07-01T12:00:00.000Z",

"conditions": [

{"bucket": "examplebucket" },

["starts-with", "$key", "file/"],

{"x-obs-meta-test1":"value1"},

["eq", "$x-obs-meta-test2", "value2"],

["starts-with", "$x-obs-meta-test3", "doc"],

["starts-with", "$x-obs-meta-test4", ""]

]

}