Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CloudFrontUtilities : cannot specify wildcard (*) resource url for a custom policy #5577

Open
catherinegrogan opened this issue Sep 9, 2024 · 0 comments
Open

CloudFrontUtilities : cannot specify wildcard (*) resource url for a custom policy #5577

catherinegrogan opened this issue Sep 9, 2024 · 0 comments
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@catherinegrogan
Copy link

Describe the bug

When using the new CloudFrontUtilities class to sign resource urls, it is not possible to specify a wildcard resource URL policy ('*') as the CustomSignerRequest.resourceUrl is used for both the policy and the URL to be signed.

The SigningUtils.buildCustomPolicyForSignedUrl(...) method which is called from the CloudFrontUtilities.getSignedUrlWithCustomPolicy(CustomSignerRequest request) method does appear to cater for this by defaulting to the wildcard if the resourceUrl is NULL BUT it is not possible to specify a null CustomSignerRequest.resourceUrl as this is also used for the URL to be signed.

Expected Behavior

Should be able to specify a custom policy resourceUrl as the 'wildcard' (or any other policy required) whilst also specify the resourceUrl to be signed.

  • In the older AWS SDK this was possible as the custom policy was provided as a separate parameter string.

Current Behavior

Currently cannot specify a 'wildcard' resourceUrl for a custom policy separate to the URL to be signed.

Example:
When use a signed URL with primefaces '<p:graphicImage ... cache=false>' on a client page primefaces adds a '&pfdrid_c' paramter to the URL. Without the ability to specify a wildcard policy for the resource url then this enforces the primefaces parameter to be present in the URL when signing.

Reproduction Steps

For example:
As indicate above, the code does try to set the default wildcard for the custom policy if a NULL resourceUrl is specified.
However if try to do this then will get a NPE as this value is also used as the URL to be signed.

i.e. if you try this in a test then you will get a NPE exception.

CustomSignerRequest.builder()
	.resourceUrl( null ) // wildcard policy
	. etc
	.build();
CloudFrontUtilities.create()
	.getSignedUrlWithCustomPolicy(customSignerRequest)
	.url()

So the code as it stands forces the URL to be signed to always be specified & does not enable a custom resource URL policy to be specified which is different to the URL to be signed.

Possible Solution

  • Could add a new/separate CustomSignedResource parameter to enable the policy resource url to be specified in addition to the URL to be signed.

OR

  • Could make the CustomSignedResource.resourceUrl be specific to the custom policy & then add a new/separate parameter to the CloudFrontUtilities.create() API call

Additional Information/Context

No response

AWS Java SDK version used

2.27.19

JDK version used

openjdk version "17.0.8" 2023-07-18 LTS

Operating System and version

macOS Sonoma
@catherinegrogan catherinegrogan added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@catherinegrogan