Generating the signature
The signature is built by applying a keyed-HMAC (Hash Message Authentication Code) on parameter string prefixed by REST API path. The secretKey is provided as a parameter to the keyed-HMAC method.
- For each field-value pair (as separated by a '&') in the Parameter String, URL ,encode each value so that it can be safely sent via HTTP GET. Note: Make sure all spaces are encoded as "%20".
- Lower case the entire Parameter String and sort it alphabetically via the field for each field-value pair. =1368420672402&apikey=mivr6x7u6bn_sdahobpjnejpgest35exq-jb8cg20yi3yaxxcgpyuairmfi_ejtvwz0nukkjbpmy3y2bcikwfq
- Prefix the parameter string with the REST API path as shown below: /foo_=1368420672402&apikey=mivr6x7u6bn_sdahobpjnejpgest35exq-jb8cg20yi3yaxxcgpyuairmfi_ejtvwz0nukkjbpmy3y2bcikwfq
- Take the prefixed Parameter String and run it through the HMAC SHA-1 hashing algorithm with the user's Secret Key.
After reconstructing, the final URL looks like:
http://localhost:8080/portal/api/foo? _=1368420672402&apiKey=mivr6x7u6bn_sdahobpjnejpgest35exq-jb8cg20yi3yaxxcgpyuairmfi_ejtvwz0nukkjbpmy3y2bcikwfq&signature=Cxx1DN401BjmXU%2FcaiK8RAPo02xU%3D
Sample code to generate the signature:
public String signRequest(String parameterString, String SecretKey) { try { Mac mac = Mac.getInstance("HmacSHA1"); SecretKeySpec keySpec = new SecretKeySpec(SecretKey.getBytes(), "HmacSHA1"); mac.init(keySpec); mac.update(parameterString.getBytes()); byte[] encryptedBytes = mac.doFinal(); return URLEncoder.encode(Base64.encodeBytes(encryptedBytes), "UTF-8"); } catch (Exception ex) { logger.debug(ex); } return null; } Channel: While it is possible to invoke the API via HTTP or HTTPS, it is strongly recommended that it be executed only through HTTPS with mutual certificate based authentication. This allows the CloudPortal Business Manager to establish a trusted link with the calling portal.
Comments