开发者

Questions regarding uploading files to Amazon S3 using browser based HTTP POST

I have a couple of questions regarding uploading files to Amazon S3 directly by the user using HTTP POST form generated by a JSP page

  • The access key and the signature needs to be exposed to the user to allow him to upload files from a JSP form. In the signature I have to set the expiration time or else by de开发者_如何学运维fault it’s valid for 15 minutes.

    i) Can the user use these details to upload to S3 outside my portal to update his files or update/modify others files.

    ii). How can I set the policy to avoid this ?

  • Can the user use the signature for multiple requests ? If yes how to stop the user from doing multiple uploads ? How do I ensure that the user can use this signature with a request only once ?

  • Sometimes there might be problems at Amazon S3 with latencies and uploads. If the response from S3 takes time and the user tries to upload the file again. He will receive a exception, how can I handle this ?

thanks


The public access key cannot be used for anything without the secret key. Never expose your secret key.

As long as you sign the policy on the server you are safe. The signature is only valid for the time you specify and for uploading to a specific bucket and key. Without your secret key, the user has no way to create another signature to upload any other files.

They cannot access any other files.

As far as I am aware, the signature expiry time only needs to be valid while they initiate the upload so you can set a pretty short time.


i) Can the user use these details to upload to S3 outside my portal to update his files or update/modify others files.

Yes, the user can use these details to replay the action. You can specify the file name so he can only update the file he upload.

ii). How can I set the policy to avoid this ?

You can add some other conditions to limit the access. Like "expiration", set it to 5/10 minutes after the signature generated. And you can add any other conditions, like "user_id" or something else.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜