Cloudfront supports signed cookies for serving up private content but I cant find any examples on how to do this.
I have found examples on how to sign URLs with the Java AWS API but not Cookies, can someone please share their experiences with doing this and is this the best way to secure multiple forms of media being served from CloudFront.
Our site has images and video that are uploaded by the user, which can then be viewed by searches on our site, I want to make sure that these images can only be served by our site and not copied for later use.
Go to the CloudFront Console and create a new Distribution. The first part are the Origin Settings. As „Origin Domain Name“ you must select your S3 Bucket, the „Origin ID“ is set automatically. To use a bucket that is complete private the „Restrict Bucket Access“ must be yes.
Create a CloudFront Key Pair Once you're logged in using root credentials, follow these steps: Go to the AWSAWSAmazon Web Services, Inc. (AWS) is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis. These cloud computing web services provide distributed computing processing capacity and software tools via AWS server farms.https://en.wikipedia.org › wiki › Amazon_Web_ServicesAmazon Web Services - Wikipedia account security credentials page. Expand “CloudFront key pairs” and click the “Create New Key Pair” button. From the opened dialog, download and save the generated private key file and public key file.
We were able to introduce signed cookies with custom policies using this library
http://www.jets3t.org/
You need three cookies created by your app as described here http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.html
Please read that carefully. Especially the part on how to create a policy.
The three cookies are:
First create a policy
Date expirationTime = (new LocalDate()).plusYears(1).toDate();
String customPolicy = CloudFrontService.buildPolicyForSignedUrl(basePath, expirationTime, null, null);
//and assign it to a cookie
Cookie signedCookiePolicy = new Cookie("CloudFront-Policy", ServiceUtils.toBase64(customPolicy.getBytes()));
signedCookiePolicy.setMaxAge(365 * 24 * 60 * 60);
signedCookiePolicy.setPath("/");
response.addCookie(signedCookiePolicy);
The signature is the tricky part but all tools are available once you use this jets3t thing
byte[] signatureBytes = EncryptionUtil.signWithRsaSha1(getDerPrivateKey(), customPolicy.getBytes("UTF-8"));
String signature = ServiceUtils.toBase64(signatureBytes).replace('+', '-').replace('=', '_').replace('/', '~');
Cookie signedCookieSignagture = new Cookie("CloudFront-Signature",cdnSignService.signBaseUrl(basePath, expirationTime));
signedCookieSignagture.setMaxAge(365 * 24 * 60 * 60);
signedCookieSignagture.setPath("/");
response.addCookie(signedCookieSignagture);
The third cookie only holds the key-id of your AWS account.
Cookie signedCookieKeyPairId = new Cookie("CloudFront-Key-Pair-Id","YOUR_AWS_CF_KEY_ID");
signedCookieKeyPairId.setMaxAge(365 * 24 * 60 * 60);
signedCookieKeyPairId.setPath("/");
response.addCookie(signedCookieKeyPairId);
The above only introduces you to concepts of using the correct libs to create the signed cookies. Its not executable or runnable on its own.
Be nice, its my first overflow contribution..
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With