当前位置：首页 > news >正文

使用STS以及签名URL临时授权访问OSS资源

news 2025/9/10 13:52:36

本文介绍JAVA如何使用STS以及签名URL临时授权访问OSS资源。

注意事项

由于STS临时账号以及签名URL均需设置有效时长，当您使用STS临时账号生成签名URL执行相关操作（例如上传、下载文件）时，以最小的有效时长为准。例如您的STS临时账号的有效时长设置为1200秒、签名URL设置为3600秒时，当有效时长超过1200秒后，您无法使用此STS临时账号生成的签名URL上传文件。
本文以从环境变量读取访问凭证为例。如何配置访问凭证，请参见配置访问凭证。
本文以华东1（杭州）的外网Endpoint为例。如果您希望通过与OSS同地域的其他阿里云产品访问OSS，请使用格式为https://oss-cn-hangzhou-internal.aliyuncs.com的内网Endpoint。关于OSS支持的Region与Endpoint的对应关系，请参见访问域名和数据中心。
本文以使用OSS外网Endpoint新建OSSClient为例。如果您希望通过自定义域名、STS等方式新建OSSClient，请参见新建OSSClient。

使用STS进行临时授权

OSS可以通过阿里云STS（Security Token Service）进行临时授权访问。阿里云STS是为云计算用户提供临时访问令牌的Web服务。通过STS，您可以为第三方应用或子用户（即用户身份由您自己管理的用户）颁发一个自定义时效和权限的访问凭证。关于STS的更多信息，请参见STS介绍。

STS的优势如下：

您无需透露您的长期密钥（AccessKey）给第三方应用，只需生成一个访问令牌并将令牌交给第三方应用。您可以自定义这个令牌的访问权限及有效期限。
您无需关心权限撤销问题，访问令牌过期后自动失效。

通过STS临时授权访问OSS的步骤如下：

获取临时访问凭证

临时访问凭证包括临时访问密钥（AccessKey ID和AccessKey Secret）和安全令牌（SecurityToken）。临时访问凭证有效时间单位为秒，最小值为900，最大值以当前角色设定的最大会话时间为准。更多信息，请参见设置RAM角色最大会话时间。

您可以通过以下两种方式获取临时访问凭证。
- 方式一
  
  通过调用STS服务的AssumeRole接口获取临时访问凭证。
- 方式二
  
  通过各语言STS SDK获取临时访问凭证。

使用STS临时授权上传和下载文件。

import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.model.GetObjectRequest;
import com.aliyun.oss.model.PutObjectRequest;
import java.io.File;public class Demo {public static void main(String[] args) throws Throwable {// 以华东1（杭州）的外网Endpoint为例，其它Region请按实际情况填写。String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";// 从环境变量中获取从STS服务请求返回的临时访问凭证。运行本代码示例之前，请确保已设置环境变量OSS_ACCESS_KEY_ID、OSS_ACCESS_KEY_SECRET以及OSS_SESSION_TOKEN。EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();// 填写Bucket名称，例如examplebucket。String bucketName = "examplebucket";// 填写Object完整路径，例如exampleobject.txt。Object完整路径中不能包含Bucket名称。String objectName = "exampleobject.txt";// 填写本地文件完整路径。String pathName = "D:\\localpath\\examplefile.txt";// 从STS服务获取临时访问凭证后，您可以通过临时访问密钥和安全令牌生成OSSClient。// 创建OSSClient实例。OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);try {            // 上传文件，此处以上传本地文件为例。            PutObjectRequest putObjectRequest = new PutObjectRequest(bucketName, objectName, new File(pathName));ossClient.putObject(putObjectRequest);// 下载OSS文件到本地文件。如果指定的本地文件存在则覆盖，不存在则新建。            //ossClient.getObject(new GetObjectRequest(bucketName, objectName), new File(pathName));} catch (OSSException oe) {System.out.println("Caught an OSSException, which means your request made it to OSS, "+ "but was rejected with an error response for some reason.");System.out.println("Error Message:" + oe.getErrorMessage());System.out.println("Error Code:" + oe.getErrorCode());System.out.println("Request ID:" + oe.getRequestId());System.out.println("Host ID:" + oe.getHostId());} catch (ClientException ce) {System.out.println("Caught an ClientException, which means the client encountered "+ "a serious internal problem while trying to communicate with OSS, "+ "such as not being able to access the network.");System.out.println("Error Message:" + ce.getMessage());} finally {if (ossClient != null) {ossClient.shutdown();}}}
}

使用签名URL进行临时授权

注意事项

生成签名URL过程中，SDK利用本地存储的密钥信息，根据特定算法计算出签名（signature），然后将其附加到URL上，以确保URL的有效性和安全性。这一系列计算和构造URL的操作都是在客户端完成，不涉及网络请求到服务端。因此，生成签名URL时不需要授予调用者特定权限。但是，为避免第三方用户无法对签名URL授权的资源执行相关操作，需要确保调用生成签名URL接口的身份主体被授予对应的权限。

例如，通过签名URL上传文件时，需要授予oss:PutObject权限。通过签名URL下载或预览文件时，需要授予oss:GetObject权限。
您可以将生成的签名URL提供给访客进行临时访问。生成签名URL时，您可以自定义URL的过期时间来限制访客的访问时长。
如果需要生成HTTPS协议的签名URL，请将Endpoint中的通信协议设置为HTTPS。
通过以下示例生成的签名URL中如果包含特殊符号+，可能出现无法正常访问该签名URL的现象。如需正常访问该签名URL，请将签名URL中的+替换为%2B。

以下是使用签名URL临时授权的常见示例。

生成以GET方法访问的签名URL

以下代码用于生成以GET方法访问的签名URL。

import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import java.net.URL;
import java.util.Date;
import java.util.Date;public class Demo {public static void main(String[] args) throws Throwable {// 以华东1（杭州）的外网Endpoint为例，其它Region请按实际情况填写。String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";// 从环境变量中获取访问凭证。运行本代码示例之前，请确保已设置环境变量OSS_ACCESS_KEY_ID和OSS_ACCESS_KEY_SECRET。EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();// 填写Bucket名称，例如examplebucket。String bucketName = "examplebucket";// 填写Object完整路径，例如exampleobject.txt。Object完整路径中不能包含Bucket名称。String objectName = "exampleobject.txt";// 创建OSSClient实例。OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);try {// 设置签名URL过期时间，单位为毫秒。本示例以设置过期时间为1小时为例。Date expiration = new Date(new Date().getTime() + 3600 * 1000L);// 生成以GET方法访问的签名URL，访客可以直接通过浏览器访问相关内容。URL url = ossClient.generatePresignedUrl(bucketName, objectName, expiration);System.out.println(url);} catch (OSSException oe) {System.out.println("Caught an OSSException, which means your request made it to OSS, "+ "but was rejected with an error response for some reason.");System.out.println("Error Message:" + oe.getErrorMessage());System.out.println("Error Code:" + oe.getErrorCode());System.out.println("Request ID:" + oe.getRequestId());System.out.println("Host ID:" + oe.getHostId());} catch (ClientException ce) {System.out.println("Caught an ClientException, which means the client encountered "+ "a serious internal problem while trying to communicate with OSS, "+ "such as not being able to access the network.");System.out.println("Error Message:" + ce.getMessage());} finally {if (ossClient != null) {ossClient.shutdown();}}}
}

生成以其他HTTP方法访问的签名URL

如果您要授权其他用户临时执行其他操作（例如上传、删除文件等），需要生成对应的签名URL，例如生成以PUT方法访问的签名URL来上传文件。

以下代码用于生成以其他HTTP方法访问的签名URL。

import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.common.utils.HttpHeaders;
import com.aliyun.oss.model.GeneratePresignedUrlRequest;
import java.io.ByteArrayInputStream;
import java.net.URL;
import java.util.*;
import java.util.Date;import static com.aliyun.oss.internal.OSSHeaders.OSS_USER_METADATA_PREFIX;public class Demo {public static void main(String[] args) throws Throwable {// 以华东1（杭州）的外网Endpoint为例，其它Region请按实际情况填写。String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";// 从环境变量中获取访问凭证。运行本代码示例之前，请确保已设置环境变量OSS_ACCESS_KEY_ID和OSS_ACCESS_KEY_SECRET。EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();// 填写Bucket名称，例如examplebucket。String bucketName = "examplebucket";// 填写Object完整路径，例如exampleobject.txt。Object完整路径中不能包含Bucket名称。String objectName = "exampleobject.txt";// 创建OSSClient实例。OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);try {GeneratePresignedUrlRequest request = new GeneratePresignedUrlRequest(bucketName, objectName, HttpMethod.PUT);// 设置签名URL过期时间，单位为毫秒。本示例以设置过期时间为1小时为例。Date expiration = new Date(new Date().getTime() + 3600 * 1000L);request.setExpiration(expiration);// 设置ContentType。request.setContentType("text/plain");// 设置自定义元数据。request.addUserMetadata("author", "aliy");// 生成签名URL。URL signedUrl = ossClient.generatePresignedUrl(request);System.out.println(signedUrl);Map<String, String> requestHeaders = new HashMap<String, String>();// 设置ContentType，必须和生成签名URL时设置的ContentType一致。requestHeaders.put(HttpHeaders.CONTENT_TYPE, "text/plain");// 设置自定义元数据。requestHeaders.put(OSS_USER_METADATA_PREFIX + "author", "aliy");// 使用签名URL上传文件。ossClient.putObject(signedUrl, new ByteArrayInputStream("Hello OSS".getBytes()), -1, requestHeaders, true);} catch (OSSException oe) {System.out.println("Caught an OSSException, which means your request made it to OSS, "+ "but was rejected with an error response for some reason.");System.out.println("Error Message:" + oe.getErrorMessage());System.out.println("Error Code:" + oe.getErrorCode());System.out.println("Request ID:" + oe.getRequestId());System.out.println("Host ID:" + oe.getHostId());} catch (ClientException ce) {System.out.println("Caught an ClientException, which means the client encountered "+ "a serious internal problem while trying to communicate with OSS, "+ "such as not being able to access the network.");System.out.println("Error Message:" + ce.getMessage());} finally {if (ossClient != null) {ossClient.shutdown();}}}
}

通过传入HttpMethod.PUT参数，访客可以使用生成的签名URL上传文件。

生成带有指定参数的签名URL

以下代码用于生成带有指定参数的签名URL。

import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.model.GeneratePresignedUrlRequest;
import java.net.URL;
import java.util.*;
import java.util.Date;public class Demo {public static void main(String[] args) throws Throwable {// 以华东1（杭州）的外网Endpoint为例，其它Region请按实际情况填写。String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";// 从环境变量中获取访问凭证。运行本代码示例之前，请确保已设置环境变量OSS_ACCESS_KEY_ID和OSS_ACCESS_KEY_SECRET。EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();// 填写Bucket名称，例如examplebucket。String bucketName = "examplebucket";// 填写Object完整路径，例如exampleobject.txt。Object完整路径中不能包含Bucket名称。String objectName = "exampleobject.txt";// 创建OSSClient实例。OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);try {// 创建请求。GeneratePresignedUrlRequest generatePresignedUrlRequest = new GeneratePresignedUrlRequest(bucketName, objectName);// 设置HttpMethod为PUT。generatePresignedUrlRequest.setMethod(HttpMethod.PUT);// 添加用户自定义元数据。generatePresignedUrlRequest.addUserMetadata("author", "baymax");// 设置ContentType。generatePresignedUrlRequest.setContentType("application/txt");// 设置签名URL过期时间，单位为毫秒。本示例以设置过期时间为1小时为例。Date expiration = new Date(new Date().getTime() + 3600 * 1000L);generatePresignedUrlRequest.setExpiration(expiration);// 生成签名URL。URL url = ossClient.generatePresignedUrl(generatePresignedUrlRequest);System.out.println(url);} catch (OSSException oe) {System.out.println("Caught an OSSException, which means your request made it to OSS, "+ "but was rejected with an error response for some reason.");System.out.println("Error Message:" + oe.getErrorMessage());System.out.println("Error Code:" + oe.getErrorCode());System.out.println("Request ID:" + oe.getRequestId());System.out.println("Host ID:" + oe.getHostId());} catch (ClientException ce) {System.out.println("Caught an ClientException, which means the client encountered "+ "a serious internal problem while trying to communicate with OSS, "+ "such as not being able to access the network.");System.out.println("Error Message:" + ce.getMessage());} finally {if (ossClient != null) {ossClient.shutdown();}}}
}

生成带有versionId的签名URL

以下代码用于生成带有versionId的签名URL。

import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.model.GeneratePresignedUrlRequest;
import java.net.URL;
import java.util.*;
import java.util.Date;public class Demo {public static void main(String[] args) throws Throwable {// 以华东1（杭州）的外网Endpoint为例，其它Region请按实际情况填写。String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";// 从环境变量中获取访问凭证。运行本代码示例之前，请确保已设置环境变量OSS_ACCESS_KEY_ID和OSS_ACCESS_KEY_SECRET。EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();// 填写Bucket名称，例如examplebucket。String bucketName = "examplebucket";// 填写Object完整路径，例如exampleobject.txt。Object完整路径中不能包含Bucket名称。String objectName = "exampleobject.txt";// 填写Object的versionId。String versionId = "CAEQARiBgID8rumR2hYiIGUyOTAyZGY2MzU5MjQ5ZjlhYzQzZjNlYTAyZDE3****";// 创建OSSClient实例。OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);try {// 创建请求。GeneratePresignedUrlRequest generatePresignedUrlRequest = new GeneratePresignedUrlRequest(bucketName, objectName);// 设置HttpMethod为GET。generatePresignedUrlRequest.setMethod(HttpMethod.GET);// 设置签名URL过期时间，单位为毫秒。本示例以设置过期时间为1小时为例。Date expiration = new Date(new Date().getTime() + 3600 * 1000L);generatePresignedUrlRequest.setExpiration(expiration);// Object的versionId。Map<String, String> queryParam = new HashMap<String, String>();queryParam.put("versionId", versionId);generatePresignedUrlRequest.setQueryParameter(queryParam);// 生成签名URL。URL url = ossClient.generatePresignedUrl(generatePresignedUrlRequest);System.out.println(url);} catch (OSSException oe) {System.out.println("Caught an OSSException, which means your request made it to OSS, "+ "but was rejected with an error response for some reason.");System.out.println("Error Message:" + oe.getErrorMessage());System.out.println("Error Code:" + oe.getErrorCode());System.out.println("Request ID:" + oe.getRequestId());System.out.println("Host ID:" + oe.getHostId());} catch (ClientException ce) {System.out.println("Caught an ClientException, which means the client encountered "+ "a serious internal problem while trying to communicate with OSS, "+ "such as not being able to access the network.");System.out.println("Error Message:" + ce.getMessage());} finally {if (ossClient != null) {ossClient.shutdown();}}}
}

使用签名URL临时授权上传或下载文件

使用签名URL上传文件

以下代码用于生成上传的签名URL，并使用签名URL临时授权简单上传文件。

说明

您也可以先生成签名URL后再通过该URL临时授权简单上传文件。关于如何生成签名URL，请参见URL签名。

import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.internal.OSSHeaders;
import com.aliyun.oss.model.GeneratePresignedUrlRequest;
import com.aliyun.oss.model.StorageClass;
import org.apache.http.HttpEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.entity.FileEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import java.io.*;
import java.net.URL;
import java.util.*;
import java.util.Date;public class Demo {public static void main(String[] args) throws Throwable {// 以华东1（杭州）的外网Endpoint为例，其它Region请按实际情况填写。String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";// 从环境变量中获取访问凭证。运行本代码示例之前，请确保已设置环境变量OSS_ACCESS_KEY_ID和OSS_ACCESS_KEY_SECRET。EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();// 填写Bucket名称，例如examplebucket。String bucketName = "examplebucket";// 填写Object完整路径，例如exampleobject.txt。Object完整路径中不能包含Bucket名称。String objectName = "exampleobject.txt";// 填写本地文件的完整路径。如果未指定本地路径，则默认从示例程序所属项目对应本地路径中上传文件。String pathName = "D:\\localpath\\examplefile.txt";// 创建OSSClient实例OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);// 设置请求头。Map<String, String> headers = new HashMap<String, String>();/*// 指定Object的存储类型。headers.put(OSSHeaders.STORAGE_CLASS, StorageClass.Standard.toString());// 指定ContentType。headers.put(OSSHeaders.CONTENT_TYPE, "text/txt");*/// 设置用户自定义元数据。Map<String, String> userMetadata = new HashMap<String, String>();/*userMetadata.put("key1","value1");userMetadata.put("key2","value2");*/URL signedUrl = null;try {// 指定生成的签名URL过期时间，单位为毫秒。本示例以设置过期时间为1小时为例。Date expiration = new Date(new Date().getTime() + 3600 * 1000L);// 生成签名URL。GeneratePresignedUrlRequest request = new GeneratePresignedUrlRequest(bucketName, objectName, HttpMethod.PUT);// 设置过期时间。request.setExpiration(expiration);// 将请求头加入到request中。request.setHeaders(headers);// 添加用户自定义元数据。request.setUserMetadata(userMetadata);// 通过HTTP PUT请求生成签名URL。signedUrl = ossClient.generatePresignedUrl(request);// 打印签名URL。System.out.println("signed url for putObject: " + signedUrl);} catch (OSSException oe) {System.out.println("Caught an OSSException, which means your request made it to OSS, "+ "but was rejected with an error response for some reason.");System.out.println("Error Message:" + oe.getErrorMessage());System.out.println("Error Code:" + oe.getErrorCode());System.out.println("Request ID:" + oe.getRequestId());System.out.println("Host ID:" + oe.getHostId());} catch (ClientException ce) {System.out.println("Caught an ClientException, which means the client encountered "+ "a serious internal problem while trying to communicate with OSS, "+ "such as not being able to access the network.");System.out.println("Error Message:" + ce.getMessage());}// 通过签名URL临时授权简单上传文件，以HttpClients为例说明。putObjectWithHttp(signedUrl, pathName, headers, userMetadata);}public static void putObjectWithHttp(URL signedUrl, String pathName, Map<String, String> headers, Map<String, String> userMetadata) throws IOException {CloseableHttpClient httpClient = null;CloseableHttpResponse response = null;try {HttpPut put = new HttpPut(signedUrl.toString());HttpEntity entity = new FileEntity(new File(pathName));put.setEntity(entity);// 如果生成签名URL时设置了header参数，例如用户元数据，存储类型等，则调用签名URL上传文件时，也需要将这些参数发送至服务端。如果签名和发送至服务端的不一致，会报签名错误。for(Map.Entry header: headers.entrySet()){put.addHeader(header.getKey().toString(),header.getValue().toString());}for(Map.Entry meta: userMetadata.entrySet()){// 如果使用userMeta，sdk内部会为userMeta拼接"x-oss-meta-"前缀。当您使用其他方式生成签名URL进行上传时，userMeta也需要拼接"x-oss-meta-"前缀。put.addHeader("x-oss-meta-"+meta.getKey().toString(), meta.getValue().toString());}httpClient = HttpClients.createDefault();response = httpClient.execute(put);System.out.println("返回上传状态码："+response.getStatusLine().getStatusCode());if(response.getStatusLine().getStatusCode() == 200){System.out.println("使用网络库上传成功");}System.out.println(response.toString());} catch (Exception e){e.printStackTrace();} finally {response.close();httpClient.close();}}
}

使用签名URL临时授权分片上传

当您希望使用签名URL以分片上传的方式上传大文件到OSS时，您需要先初始化分片上传，然后把每一个分片生成一个对应的上传签名URL，并返回给第三方应用。第三方应用可以使用这些签名URL上传所有的分片信息，然后合并分片来达到通过签名URL实现分片上传的目的。

以下代码用于生成分片上传的签名URL，并使用签名URL临时授权分片上传。

import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.common.comm.io.BoundedInputStream;
import com.aliyun.oss.common.utils.BinaryUtil;
import com.aliyun.oss.common.utils.CRC64;
import com.aliyun.oss.internal.OSSHeaders;
import com.aliyun.oss.model.*;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.entity.BufferedHttpEntity;
import org.apache.http.entity.InputStreamEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.DefaultHttpRequestRetryHandler;
import org.apache.http.impl.client.HttpClients;
import java.io.*;
import java.math.BigInteger;
import java.net.URL;
import java.util.*;
import java.util.Date;
import java.util.zip.CheckedInputStream;public class SignUrlMultipart {public static void main(String[] args) throws Throwable {// 以华东1（杭州）的外网Endpoint为例，其它Region请按实际情况填写。String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";// 从环境变量中获取访问凭证。运行本代码示例之前，请确保已设置环境变量OSS_ACCESS_KEY_ID和OSS_ACCESS_KEY_SECRET。EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();// 填写Bucket名称，例如examplebucket。String bucketName = "examplebucket";// 填写Object完整路径，例如exampleobject.txt。Object完整路径中不能包含Bucket名称。String objectName = "exampleobject.txt";// 填写本地文件的完整路径。如果未指定本地路径，则默认从示例程序所属项目对应本地路径中上传文件。String pathName = "D:\\localpath\\examplefile.txt";// 指定生成的签名URL过期时间，单位为毫秒。本示例以设置过期时间为1小时为例。long expireTime = 3600*1000L;// 创建OSSClient实例。OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);// 创建InitiateMultipartUploadRequest对象。InitiateMultipartUploadRequest initRequest = new InitiateMultipartUploadRequest(bucketName, objectName);// 初始化分片。InitiateMultipartUploadResult upResult = ossClient.initiateMultipartUpload(initRequest);// 返回uploadId。uploadId是分片上传事件的唯一标识。您可以根据该uploadId发起相关的操作，例如取消分片上传、查询分片上传等。String uploadId = upResult.getUploadId();// partETags是PartETag的集合。PartETag由分片的ETag和分片号组成。List<PartETag> partETags =  new ArrayList<PartETag>();// 每个分片的大小，用于计算文件有多少个分片。单位为字节。long partSize = 1 * 100 * 1024L;   //100kb。// 填写本地文件的完整路径。如果未指定本地路径，则默认从示例程序所属项目对应本地路径中上传文件。File sampleFile = new File(pathName);long fileLength = sampleFile.length();// 如果希望设置为1个分片，可以将分片大小设置为文件大小。// long fileLength = sampleFile.length();int partCount = (int) (fileLength / partSize);if (fileLength % partSize != 0) {partCount++;}// 设置签名URL的请求头。Map<String, String> headers = new HashMap<String, String>();/*// 指定Object的存储类型。headers.put(OSSHeaders.STORAGE_CLASS, StorageClass.Standard.toString());// 指定ContentType。headers.put(OSSHeaders.CONTENT_TYPE, "text/txt");*/// 遍历分片获取分片签名，并上传分片。// 您还可以一次返回所有分片的签名URL，然后依次上传。此处以返回单个签名URL，并通过签名URL上传单个分片为例。for (int i = 0; i < partCount; i++) {long startPos = i * partSize;long curPartSize = (i + 1 == partCount) ? (fileLength - startPos) : partSize;/*// 设置md5校验，只支持对单个分片进行md5校验FileInputStream inStream = new FileInputStream(pathName);// 跳过已经上传的分片。inStream.skip(startPos);BoundedInputStream entity = new BoundedInputStream(inStream, partSize);String md5 = BinaryUtil.toBase64String(DigestUtils.md5(entity));headers.put("Content-MD5", md5);*/String signUrl = getSignUrl(ossClient, bucketName, objectName, HttpMethod.PUT, expireTime, i + 1, uploadId, headers);// 通过签名URL上传文件，以HttpClients为例说明。putObjectWithHttp(signUrl, pathName, startPos, curPartSize, headers);}// 假设合并分片时，与上传分片不在同一个系统。此时，您需要先列举分片，然后再合并分片。// 列举已上传的分片。ListPartsRequest listPartsRequest = new ListPartsRequest(bucketName, objectName, uploadId);PartListing partListing = ossClient.listParts(listPartsRequest);// 遍历分片，并填充partETags。for (PartSummary part : partListing.getParts()) {PartETag partETag = new PartETag(part.getPartNumber(), part.getETag());partETags.add(partETag);}// 合并分片。CompleteMultipartUploadRequest completeMultipartUploadRequest =new CompleteMultipartUploadRequest(bucketName, objectName, uploadId, partETags);// String md5 = BinaryUtil.toBase64String(BinaryUtil.calculateMd5("aaa".getBytes()));// 设置禁止覆盖同名文件。// completeMultipartUploadRequest.addHeader("x-oss-forbid-overwrite", "true");// 完成分片上传。CompleteMultipartUploadResult completeMultipartUploadResult = ossClient.completeMultipartUpload(completeMultipartUploadRequest);System.out.println("合并分片成功，上传分片完成。");// 校验整体上传文件是否完整CRC64 crc = new CRC64();InputStream inStream = new FileInputStream(pathName);byte[] bytes = new byte[1024];int cnt;while ((cnt = inStream.read(bytes)) != -1) {crc.update(bytes, 0, cnt);}if(crc.getValue() == completeMultipartUploadResult.getServerCRC()){System.out.println("上传文件完整");} else {System.out.println("上传文件不完整，请做异常处理");}}public static void putObjectWithHttp(String signedUrl, String pathName, long startPos, long partSize, Map<String, String> headers) throws IOException {CloseableHttpClient httpClient = null;CloseableHttpResponse response = null;try {HttpPut put = new HttpPut(signedUrl);FileInputStream inStream = new FileInputStream(pathName);// 跳过已经上传的分片。inStream.skip(startPos);InputStreamEntity entity = new InputStreamEntity(inStream, partSize);BufferedHttpEntity byteArrayEntity = new BufferedHttpEntity(entity);put.setEntity(byteArrayEntity);// 如果生成签名URL时设置了header参数，例如用户元数据，存储类型等，则调用签名URL上传文件时，也需要将这些参数发送至服务端。如果签名和发送至服务端的不一致，会报签名错误。for(Map.Entry header: headers.entrySet()){put.addHeader(header.getKey().toString(),header.getValue().toString());}// 加入重试，设置为重试3次。这里仅为举例，业务代码根据需要自行设置重试httpClient = HttpClients.custom().setRetryHandler(new DefaultHttpRequestRetryHandler(3, true)).build();response = httpClient.execute(put);System.out.println("返回上传状态码："+response.getStatusLine().getStatusCode());if(response.getStatusLine().getStatusCode() == 200){System.out.println("使用网络库上传成功");}System.out.println(response.toString());} catch (Exception e){e.printStackTrace();} finally {if(response != null){response.close();}if(httpClient != null){httpClient.close();}}}public static String getSignUrl(OSS ossClient, String bucketName, String objectName, HttpMethod method, long expireTime, int partNum, String uploadId, Map<String, String> headers){// 指定生成的签名URL过期时间，单位为毫秒。Date expiration = new Date(new Date().getTime() + expireTime);// 生成签名URL。GeneratePresignedUrlRequest request = new GeneratePresignedUrlRequest(bucketName, objectName, method);// 设置过期时间。request.setExpiration(expiration);// 将请求头加入到request中。request.setHeaders(headers);request.addQueryParameter("partNumber", String.valueOf(partNum));request.addQueryParameter("uploadId", uploadId);// 通过HTTP Method请求生成签名URL。URL signedUrl = ossClient.generatePresignedUrl(request);// 打印签名URL。System.out.println("signed url: " + signedUrl);return signedUrl.toString();}
}

使用签名URL临时授权下载文件

以下代码用于生成下载的签名URL，并使用签名URL临时授权下载文件。

import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.internal.OSSHeaders;
import com.aliyun.oss.model.GeneratePresignedUrlRequest;
import com.aliyun.oss.model.StorageClass;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import java.io.*;
import java.net.URL;
import java.util.*;
import java.util.Date;public class Demo {public static void main(String[] args) throws Throwable {// 以华东1（杭州）的外网Endpoint为例，其它Region请按实际情况填写。String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";// 从环境变量中获取访问凭证。运行本代码示例之前，请确保已设置环境变量OSS_ACCESS_KEY_ID和OSS_ACCESS_KEY_SECRET。EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();// 填写Bucket名称，例如examplebucket。String bucketName = "examplebucket";// 填写Object完整路径，例如exampleobject.txt。Object完整路径中不能包含Bucket名称。String objectName = "exampleobject.txt";// 填写下载到本地文件的完整路径。String pathName = "D:\\localpath\\examplefile.txt";// 创建OSSClient实例。OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);// 设置请求头。Map<String, String> headers = new HashMap<String, String>();/*// 指定Object的存储类型。headers.put(OSSHeaders.STORAGE_CLASS, StorageClass.Standard.toString());// 指定ContentType。headers.put(OSSHeaders.CONTENT_TYPE, "text/txt");*/// 设置用户自定义元数据。Map<String, String> userMetadata = new HashMap<String, String>();/*userMetadata.put("key1","value1");userMetadata.put("key2","value2");*/URL signedUrl = null;try {// 指定生成的签名URL过期时间，单位为毫秒。本示例以设置过期时间为1小时为例。Date expiration = new Date(new Date().getTime() + 3600 * 1000L);// 生成签名URL。GeneratePresignedUrlRequest request = new GeneratePresignedUrlRequest(bucketName, objectName, HttpMethod.GET);// 设置过期时间。request.setExpiration(expiration);// 将请求头加入到request中。request.setHeaders(headers);// 添加用户自定义元数据。request.setUserMetadata(userMetadata);// 设置查询参数。// Map<String, String> queryParam = new HashMap<String, String>();// 指定IP地址或者IP地址段，对应日志中sourceIpFromSource的值。// queryParam.put("x-oss-ac-source-ip","192.0.2.0");// 将子网掩码转换为二进制，然后填写转换结果中1的数量。// queryParam.put("x-oss-ac-subnet-mask","32");// 指定VPC ID。// queryParam.put("x-oss-ac-vpc-id","vpc-12345678");// 指定是否允许转发请求。// queryParam.put("x-oss-ac-forward-allow","true");// request.setQueryParameter(queryParam);// 设置单链接限速，单位为bit，例如限速100 KB/s。// request.setTrafficLimit(100 * 1024 * 8);// 通过HTTP GET请求生成签名URL。signedUrl = ossClient.generatePresignedUrl(request);// 打印签名URL。System.out.println("signed url for putObject: " + signedUrl);} catch (OSSException oe) {System.out.println("Caught an OSSException, which means your request made it to OSS, "+ "but was rejected with an error response for some reason.");System.out.println("Error Message:" + oe.getErrorMessage());System.out.println("Error Code:" + oe.getErrorCode());System.out.println("Request ID:" + oe.getRequestId());System.out.println("Host ID:" + oe.getHostId());} catch (ClientException ce) {System.out.println("Caught an ClientException, which means the client encountered "+ "a serious internal problem while trying to communicate with OSS, "+ "such as not being able to access the network.");System.out.println("Error Message:" + ce.getMessage());}// 通过签名URL下载文件，以HttpClients为例说明。getObjectWithHttp(signedUrl, pathName, headers, userMetadata);}public static void getObjectWithHttp(URL signedUrl, String pathName, Map<String, String> headers, Map<String, String> userMetadata) throws IOException {CloseableHttpClient httpClient = null;CloseableHttpResponse response = null;try {HttpGet get = new HttpGet(signedUrl.toString());// 如果生成签名URL时设置了header参数，例如用户元数据，存储类型等，则调用签名URL下载文件时，也需要将这些参数发送至服务端。如果签名和发送至服务端的不一致，会报签名错误。for(Map.Entry header: headers.entrySet()){get.addHeader(header.getKey().toString(),header.getValue().toString());}for(Map.Entry meta: userMetadata.entrySet()){// 如果使用userMeta，sdk内部会为userMeta拼接"x-oss-meta-"前缀。当您使用其他方式生成签名URL进行下载时，userMeta也需要拼接"x-oss-meta-"前缀。get.addHeader("x-oss-meta-"+meta.getKey().toString(), meta.getValue().toString());}httpClient = HttpClients.createDefault();response = httpClient.execute(get);System.out.println("返回下载状态码："+response.getStatusLine().getStatusCode());if(response.getStatusLine().getStatusCode() == 200){System.out.println("使用网络库下载成功");}System.out.println(response.toString());// 保存文件到磁盘。saveFileToLocally(response.getEntity().getContent(), pathName);} catch (Exception e){e.printStackTrace();} finally {response.close();httpClient.close();}}public static void saveFileToLocally(InputStream inputStream, String pathName) throws IOException {DataInputStream in = null;OutputStream out = null;try {in = new DataInputStream(inputStream);out = new DataOutputStream(new FileOutputStream(pathName));int bytes = 0;byte[] bufferOut = new byte[1024];while ((bytes = in.read(bufferOut)) != -1) {out.write(bufferOut, 0, bytes);}} catch (Exception e){e.printStackTrace();} finally {in.close();out.close();}}
}

常见问题

使用临时签名进行文件上传时，在上传过程中签名过期了，上传中的文件会失败吗？

简单上传时不会失败。

如果是分片上传，上传过程中签名过期了，可能影响其余分片的上传。

注意事项

使用STS进行临时授权

使用签名URL进行临时授权

注意事项

生成以GET方法访问的签名URL

生成以其他HTTP方法访问的签名URL

生成带有指定参数的签名URL

使用签名URL临时授权上传或下载文件

常见问题

使用临时签名进行文件上传时，在上传过程中签名过期了，上传中的文件会失败吗？

相关文章：