When using the new CloudFrontUtilities class to sign resource urls, it is not possible to specify a wildcard resource URL policy ('*') as the CustomSignerRequest.resourceUrl is used for both the policy and the URL to be signed.
The SigningUtils.buildCustomPolicyForSignedUrl(...) method which is called from the CloudFrontUtilities.getSignedUrlWithCustomPolicy(CustomSignerRequest request) method does appear to cater for this by defaulting to the wildcard if the resourceUrl is NULL BUT it is not possible to specify a null CustomSignerRequest.resourceUrl as this is also used for the URL to be signed.
Expected Behavior
Should be able to specify a custom policy resourceUrl as the 'wildcard' (or any other policy required) whilst also specify the resourceUrl to be signed.
In the older AWS SDK this was possible as the custom policy was provided as a separate parameter string.
Current Behavior
Currently cannot specify a 'wildcard' resourceUrl for a custom policy separate to the URL to be signed.
Example:
When use a signed URL with primefaces '<p:graphicImage ... cache=false>' on a client page primefaces adds a '&pfdrid_c' paramter to the URL. Without the ability to specify a wildcard policy for the resource url then this enforces the primefaces parameter to be present in the URL when signing.
Reproduction Steps
For example:
As indicate above, the code does try to set the default wildcard for the custom policy if a NULL resourceUrl is specified.
However if try to do this then will get a NPE as this value is also used as the URL to be signed.
i.e. if you try this in a test then you will get a NPE exception.
So the code as it stands forces the URL to be signed to always be specified & does not enable a custom resource URL policy to be specified which is different to the URL to be signed.
Possible Solution
Could add a new/separate CustomSignedResource parameter to enable the policy resource url to be specified in addition to the URL to be signed.
OR
Could make the CustomSignedResource.resourceUrl be specific to the custom policy & then add a new/separate parameter to the CloudFrontUtilities.create() API call
Describe the bug
When using the new CloudFrontUtilities class to sign resource urls, it is not possible to specify a wildcard resource URL policy ('*') as the
CustomSignerRequest.resourceUrlis used for both the policy and the URL to be signed.The
SigningUtils.buildCustomPolicyForSignedUrl(...)method which is called from theCloudFrontUtilities.getSignedUrlWithCustomPolicy(CustomSignerRequest request)method does appear to cater for this by defaulting to the wildcard if the resourceUrl isNULLBUT it is not possible to specify a null CustomSignerRequest.resourceUrl as this is also used for the URL to be signed.Expected Behavior
Should be able to specify a custom policy resourceUrl as the 'wildcard' (or any other policy required) whilst also specify the resourceUrl to be signed.
Current Behavior
Currently cannot specify a 'wildcard' resourceUrl for a custom policy separate to the URL to be signed.
Example: When use a signed URL with primefaces '<p:graphicImage ... cache=false>' on a client page primefaces adds a '&pfdrid_c' paramter to the URL. Without the ability to specify a wildcard policy for the resource url then this enforces the primefaces parameter to be present in the URL when signing.
Reproduction Steps
For example: As indicate above, the code does try to set the default wildcard for the custom policy if a NULL resourceUrl is specified. However if try to do this then will get a NPE as this value is also used as the URL to be signed.
i.e. if you try this in a test then you will get a NPE exception.
So the code as it stands forces the URL to be signed to always be specified & does not enable a custom resource URL policy to be specified which is different to the URL to be signed.
Possible Solution
CustomSignedResourceparameter to enable the policy resource url to be specified in addition to the URL to be signed.OR
CustomSignedResource.resourceUrlbe specific to the custom policy & then add a new/separate parameter to theCloudFrontUtilities.create()API callAdditional Information/Context
No response
AWS Java SDK version used
2.27.19
JDK version used
openjdk version "17.0.8" 2023-07-18 LTS
Operating System and version
macOS Sonoma