访问被拒绝 - 通过 Amazon S3 上的签名 URL 流式传输视频
我使用 S3 服务作为本地运行的软件(C#)的视频提供程序
出于安全问题,我为文件生成签名 URL(临时 URL),然后传递给视频播放器,但播放器仅如果我将“=”(等号)字符交换为“_”(下划线),可以阅读该链接,如本线程中所写:https://forums.aws.amazon.com/thread.jspa?messageID=245291 来自 Amazon 员工的帖子。
这里开始了我的问题,当我发送视频 URL 而不更改此字符时,它不起作用
如果我不更改字符,但文件权限为“仅限经过身份验证的用户”,我可以访问该文件,但由于字符问题,视频播放器无法访问。
如果我更改字符并将 URL 发送到播放器,则仅当文件访问权限为“每个人都可以读取/更改”时它才有效,这使得我的“安全解决方案”成为不安全的选择,因为如果有人获得他将有权访问该文件的 URL。
这是亚马逊的错误吗?某人 有解决办法吗?
这里有一个 Singed URL 示例:
http://存储桶名称.s3.amazonaws.com/video.flv?AWSAccessKeyId=AKIAILVSCA2AWHA7KM6Q&Expires=1307378448&Signature=FzWAI4dd8BfnzfCtbtAumQyiNvk%3D
这里是一个更改字符签名 URL 示例:
http://存储桶名称.s3.amazonaws.com/video.flv?AWSAccessKeyId_AKIAILVSCA2AWHA7KM6Q&Expires_1307378448&Signature=FzWAI4dd8BfnzfCtbtAumQyiNvk%3D
Im using S3 service as a video provider for my software(C#) that run's locally
For security issues I generate a Signed URL(Temporary URL) for the file and then pass to the video player, but the player only can read the link if i swap "="(equal) characters for "_"(underscore) as written here on this Thread: https://forums.aws.amazon.com/thread.jspa?messageID=245291 in a post from a Amazon employee.
And here starts my problem, when i send the video URL without changing this chars it doesn't work
If i don't change the chars but file permissions are "Authenticated users Only" i can reach the file but the video player can't because of the characters issue.
if i change the chars and send the URL to the player, it works only if file access permisions are "Everyone can read/change" and that makes my "security solution" a unsecure choice cause if someone get the URL he will have access to the file.
is that a bug from amazon? someone
have a solution for this?
here goes a Singed URL example:
http://bucket-name.s3.amazonaws.com/video.flv?AWSAccessKeyId=AKIAILVSCA2AWHA7KM6Q&Expires=1307378448&Signature=FzWAI4dd8BfnzfCtbtAumQyiNvk%3D
here goes a Changed Characters Singed URL example:
http://bucket-name.s3.amazonaws.com/video.flv?AWSAccessKeyId_AKIAILVSCA2AWHA7KM6Q&Expires_1307378448&Signature=FzWAI4dd8BfnzfCtbtAumQyiNvk%3D
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这里发生了很多事情。
首先,您提供的链接讨论的是 Cloudfront url。我认为不可能如所讨论的那样替换 S3 url 中的字符。
其次,您不应直接更改
AWSAccessKeyId、Expires和Signature之后的=符号。问题字符仅是那些出现在签名字符串中的字符。在您的示例中,末尾的%3D是 url 编码的=,这就是您需要更改的内容。但问题是,如果您更改该字符,签名将不再有效,这就是私人内容不再可访问的原因。公共内容将可以访问,因为亚马逊会忽略 URL 的身份验证部分。
我在使用基于 Silverlight 的视频播放器时遇到了类似的问题,如果 url 中存在
+(%2b) 字符,该播放器就会失败。我通过在循环中生成一个新的网址来解决这个问题,直到我得到一个没有无效字符的网址。关键是稍微改变到期时间,以便改变生成的签名。以下是使用 AWS 开发工具包的示例。 (从 vb.net 转换而来,所以我希望语法是正确的)
根据我的经验,性能影响可以忽略不计,因为通常只需要几次迭代即可确保“干净”的 url。
There are a number of things going on here.
Firstly, the link you provide is talking about Cloudfront urls. I don't think its possible to replace characters in S3 urls as discussed.
Secondly you shouldn't be changing the
=signs directly afterAWSAccessKeyId,ExpiresandSignature. The problem characters are only those that appear in the signature string. In your example the%3Dat the end is=in url encoded from and that's what you need to change.The problem though, is that if you change that character, the signature is no longer valid and that's why private content is no longer accessible. Public content would be accessible as the authentication part of the url is just ignored by Amazon.
I ran into a similar problem with a Silverlight based video player that failed if there were
+(%2b) characters in the url. I solved this by just generating a new url in a loop until I had one that didn't have invalid characters. The key is to change the expiry time slightly in order change the generated signature.Here's an example using the AWS SDK. (converted from vb.net so I hope the syntax is correct)
In my experience, the performance hit is negligible as generally only a couple of iterations are ever necessary to ensure a 'clean' url.