Amazon CloudFront
Developer Guide (API Version 2016-09-29)

Create a URL Signature Using Java

The Open source Java toolkit for Amazon S3 and CloudFront provides example code and information about CloudFront development in Java. For information about private distributions, go to Private Distributions at Programmer Guide: Code Samples.

You can also create signed URLs by using the CloudFrontUrlSigner class in the AWS SDK for Java. For more information, see Class UrlSigner in the AWS SDK for Java API Reference.


Creating a URL signature is just one part of the process of serving private content using a signed URL. For more information about the entire process, see Using Signed URLs.

The following methods are from the Java open source toolkit for Amazon S3 and CloudFront. You must convert the private key from PEM to DER format for Java implementations to use it.

Example Java Policy and Signature Encryption Methods

// Signed URLs for a private distribution // Note that Java only supports SSL certificates in DER format, // so you will need to convert your PEM-formatted file to DER format. // To do this, you can use openssl: // openssl pkcs8 -topk8 -nocrypt -in origin.pem -inform PEM -out new.der // -outform DER // So the encoder works correctly, you should also add the bouncy castle jar // to your project and then add the provider. Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); String distributionDomain = ""; String privateKeyFilePath = "/path/to/rsa-private-key.der"; String s3ObjectKey = "s3/object/key.txt"; String policyResourcePath = "http://" + distributionDomain + "/" + s3ObjectKey; // Convert your DER file into a byte array. byte[] derPrivateKey = ServiceUtils.readInputStreamToBytes(new FileInputStream(privateKeyFilePath)); // Generate a "canned" signed URL to allow access to a // specific distribution and object String signedUrlCanned = CloudFrontService.signUrlCanned( "http://" + distributionDomain + "/" + s3ObjectKey, // Resource URL or Path keyPairId, // Certificate identifier, // an active trusted signer for the distribution derPrivateKey, // DER Private key data ServiceUtils.parseIso8601Date("2011-11-14T22:20:00.000Z") // DateLessThan ); System.out.println(signedUrlCanned); // Build a policy document to define custom restrictions for a signed URL. String policy = CloudFrontService.buildPolicyForSignedUrl( // Resource path (optional, can include '*' and '?' wildcards) policyResourcePath, // DateLessThan ServiceUtils.parseIso8601Date("2011-11-14T22:20:00.000Z"), // CIDR IP address restriction (optional, means everyone) "", // DateGreaterThan (optional) ServiceUtils.parseIso8601Date("2011-10-16T06:31:56.000Z") ); // Generate a signed URL using a custom policy document. String signedUrl = CloudFrontService.signUrl( // Resource URL or Path "http://" + distributionDomain + "/" + s3ObjectKey, // Certificate identifier, an active trusted signer for the distribution keyPairId, // DER Private key data derPrivateKey, // Access control policy policy ); System.out.println(signedUrl);

See also