Ah I see what you mean now, and I don't think you're missing anything. I offer my apologies for not reading more carefully to see that SQS and Alexa hash different formats for the signature from what S3 requires. In that case you will have to manually create the signature, as Restlet only supports the format required by S3. Check out com.noelios.restlet.util.SecurityUtils.format to see how to implement the basic scheme using the S3 format. Basically, it creates the TICKET:SIGNATURE value which can then be used in the constructor ChallengeResponse(ChallengeScheme scheme, String credentials) as the value for credentials. That value can then be used in the Request.
As a future enhancement perhaps ChallengeResponse should additionally accept scheme specific contextual information in some fashion. For AWS is could contain an ordered collection of which headers to use to create the signature to be hashed, since that is the only difference between the authentication between these three services. I don't know of any other non-custom authentication schemes that would currently benefit from this, but you never know what the future will hold. ________________________________ From: Guy Ernest [mailto:[EMAIL PROTECTED] Sent: Thursday, December 20, 2007 12:48 PM To: [email protected] Subject: Re: Using Restlet to interact with Amazon SQS Yes, I saw (and I am using) the support for the S3 services and it is working great. I couldn't completely understand from reading the code how it is working, and I couldn't make it work for the other services as SQS and Alexa Thumbnails. What I don't really understand is how to use the different mechanism to build the signature: In the code we are passing the keys: request.setChallengeResponse(new ChallengeResponse( ChallengeScheme.HTTP_AWS , PUBLIC_KEY, PRIVATE_KEY)); But each service is requesting a different data to build the signature: For example in SQS (Simple Queue Service): To calculate the value for <Signature>: 1. Create a string with the format: HTTP-METHOD>\n<content-MD5>\n<ContentType>\n<date>\n<path> For example: PUT\n\ntext/plain\nThu, 01 Jun 2006 12:12:23 PDT\n/ 2. Use your AWS Secret Access Key to create an HMAC-SHA1 hash of the string and use that as the value of <Signature>. (From: http://s3.amazonaws.com/awsdocs/SQS/20070501/sqs-dg-20070501.pdf page 79) In S3 (Simple Storage Service) : The Signature element is the RFC 2104 HMAC-SHA1 of selected elements from the request, and so the Signature part of the Authorization header will vary from request to request. If the request signature calculated by the system matches the Signature included with the request, then the requester will have demonstrated possession to the AWS Secret Access Key. The request will then be processed under the identity, and with the authority, of the developer to whom the key was issued. The following pseudo-grammar illustrates the construction of the Authorization request header. (\n means the Unicode code point U+000A) Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature; Signature = Base64( HMAC-SHA1( UTF-8-Encoding-Of( StringToSign ) ) ); StringToSign = HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Date + "\n" + CanonicalizedAmzHeaders + CanonicalizedResource; CanonicalizedResource = [ "/" + Bucket ] + <HTTP-Request-URI, from the protocol name up to the query string> + [ sub-resource, if present. For example "?acl", "?location", "?logging", or "?torrent"]; CanonicalizedAmzHeaders = <described below> (from http://s3.amazonaws.com/awsdocs/S3/20060301/s3-dg-20060301.pdf page 54) And for Alexa Thumbnails: Signature=[UrlEncoded HMAC-SHA1digest of "Thumbnail2005-01-31T23:59:183Z"] (From http://docs.amazonwebservices.com/AlexaSiteThumbnail/2007-01-01/) Am I missing some basic understanding about the ResponseChallenge process? Or can someone direct me to the right class to set the exact mechanism for each service. Have fun, Guy. On Dec 18, 2007 11:05 PM, Larry Zappaterrini <[EMAIL PROTECTED]> wrote: > > > > > Restlet already supports AWS authentication from the client perspective. > Check out org.restlet.data.ChallengeResponse and > org.restlet.data.Request.setChallengeResponse to see the mechanisms for > accomplishing this. As for actually manipulating a Request's headers, they > are set by adding calling Request.getAttributes().put() with the key equal > to com.noelios.restlet.http.HttpConstants. ATTRIBUTE_HEADERS with the value > as an instance org.restlet.data.Form containing all of the headers and their > values. > > > > ________________________________ > > > From: Guy Ernest [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 18, 2007 11:44 AM > To: [email protected] > Subject: Using Restlet to interact with Amazon SQS > > > > > > I noticed that you have excellent examples about using Amazon S3 with > Restlet, I was wondering if SQS can have the same treatment. I would prefer > to use it with the REST interface and not the heavy SOAP/WSDL. > > The following instruction are from the REST section of the SQS > documentation of Amazon AWS: > > About the Authorization Header > The authorization header is a string that follows this format: > AWS <AWSAccessKeyId>:<Signature> > Note that there is a space after "AWS". > To calculate the value for <Signature>: > 1. Create a string with the format: > HTTP-METHOD>\n<content-MD5>\n<ContentType>\n<date>\n<path> > For example: > PUT\n\ntext/plain\nThu, 01 Jun 2006 12:12:23 PDT\n/ > 2. Use your AWS Secret Access Key to create an HMAC-SHA1 hash of the string > and use that as the > value of <Signature>. > > Since I'm newbie in using Restlet, I will appreciate if someone can help in > explaining: > 1. how to create such a header > 2. how to add this header along side other headers (AWS-Version, for > example)
