Amazon Web Services is an umbrella for Amazon’s pioneering contributions, in infrastructure and applications, to web services. From early on, Amazon pushed hard to make its web sites for shopping, storage (S3, Simple Storage Service), utility-priced cloud computing (EC2), and so on available as web services, too. Among the prominent hosts of web services, Amazon is unusual in offering both SOAP-based and REST-style versions of such services. This chapter and later ones have code examples that involve Amazon’s E-Commerce or shopping service (see Registering with Amazon), which requires an accessId and a secretKey for access. The accessId is inserted, as is, into any request against the E-Commerce service; the secretKey is used to create what Amazon calls a signature, which is likewise inserted into every request and then verified on the Amazon side. The secretKey itself is not inserted into a request.
The RestfulAmazon client (see Example 3-2) is relatively clean code but only because the messy details are isolated in the
utility class RequestHelper. Amazon requires, in a RESTful request for item lookups against the E-Commerce service, that
the verb be GET and that the required data be in a strictly formatted query string. Here are some details:
- The keys in the query string must be in lexicographical order with respect to the first byte in the key’s name.
- The query string must include an ISO-8601 timestamp.
- The query string must be URL-encoded under RFC 3986.
- The query string must include a hash-based message authentication code using the SHA-256 hash algorithm. This hash value is what Amazon calls the signature.
- The authentication code must be base64-encoded.
Amazon’s RESTful service is fussy about the format of requests against it. The utility class RequestHelper ensures that
a GET request against the E-Commerce service has the required query string format.
Example 3-2. The RestfulAmazon client against the Amazon E-Commerce web service
packagerestful;importjava.net.URL;importjava.net.URLConnection;importjava.io.BufferedReader;importjava.io.InputStreamReader;importjava.io.ByteArrayInputStream;importjava.util.HashMap;importjava.util.Map;importjavax.xml.parsers.DocumentBuilderFactory;importjavax.xml.parsers.DocumentBuilder;importorg.w3c.dom.Document;importorg.w3c.dom.Element;importorg.w3c.dom.Node;importorg.w3c.dom.NodeList;publicclassRestfulAmazon{privatestaticfinalStringendpoint="ecs.amazonaws.com";privatestaticfinalStringitemId="0545010225";// Harry Potter
publicstaticvoidmain(String[]args){if(args.length<2){System.err.println("RestfulAmazon <accessKeyId> <secretKey>");return;}newRestfulAmazon().lookupStuff(args[0].trim(),args[1].trim());}privatevoidlookupStuff(StringaccessKeyId,StringsecretKey){RequestHelperhelper=newRequestHelper(endpoint,accessKeyId,secretKey);StringrequestUrl=null;Stringtitle=null;// Store query string params in a hash.Map<String,String>params=newHashMap<String,String>();params.put("Service","AWSECommerceService");params.put("Version","2009-03-31");params.put("Operation","ItemLookup");
params.put("ItemId",itemId);params.put("ResponseGroup","Small");params.put("AssociateTag","kalin");// any string should dorequestUrl=helper.sign(params);Stringresponse=requestAmazon(requestUrl);// The string "null" is returned before the XML document.StringnoNullResponse=response.replaceFirst("null","");System.out.println("Raw xml:\n"+noNullResponse);System.out.println("Author: "+getAuthor(noNullResponse));}privateStringrequestAmazon(StringstringUrl){Stringresponse=null;try{URLurl=newURL(stringUrl);URLConnectionconn=url.openConnection();conn.setDoInput(true);BufferedReaderin=newBufferedReader(newInputStreamReader(conn.getInputStream()));Stringchunk=null;while((chunk=in.readLine())!=null)response+=chunk;in.close();}catch(Exceptione){thrownewRuntimeException("Arrrg! "+e);}returnresponse;}privateStringgetAuthor(Stringxml){Stringauthor=null;try{ByteArrayInputStreambais=newByteArrayInputStream(xml.getBytes());DocumentBuilderFactoryfact=DocumentBuilderFactory.newInstance();fact.setNamespaceAware(true);DocumentBuilderbuilder=fact.newDocumentBuilder();Documentdoc=builder.parse(bais);NodeListresults=doc.getElementsByTagName("Author");for(inti=0;i<results.getLength();i++){Elemente=(Element)results.item(i);NodeListnodes=e.getChildNodes();for(intj=0;j<nodes.getLength();j++){Nodechild=nodes.item(j);if(child.getNodeType()==Node.TEXT_NODE)author=child.getNodeValue();}}}catch(Exceptione){thrownewRuntimeException("Xml bad!",e);}returnauthor;}}
The RestfulAmazon application expects two command-line arguments: an Amazon accessId and
secretKey, in that order. The client application then sets various properties such as the
requested Amazon operation (in this example, ItemLookup in line 2), the item’s identifier (in this
example, 0545010225 in line 1, which is a Harry Potter novel), the Amazon associate’s name, and so on.
After the RequestHelper utility formats the request according to Amazon’s requirements, the
RestfulAmazon client then opens a URLConnection to the Amazon service, sends the GET request,
and reads the response,
chunk by chunk. The relevant code segment is:
URLurl=newURL(stringUrl);URLConnectionconn=url.openConnection();conn.setDoInput(true);BufferedReaderin=newBufferedReader(newInputStreamReader(conn.getInputStream()));Stringchunk=null;while((chunk=in.readLine())!=null)response+=chunk;
The code first creates a URLConnection (line 1) and then wraps a
BufferedReader around the connection’s InputStream (line 2). A while loop
is used to read the Amazon response chunk by chunk (line 3).
On a successful GET request, the payload in the HTTP response body is an XML document. Here is
a slice from a sample run:
<?xmlversion="1.0"?><ItemLookupResponsexmlns="http://webservices.amazon.com/AWSECommerceService/2011-08-01"><OperationRequest><HTTPHeaders><HeaderName="UserAgent"Value="Java/1.7"></Header></HTTPHeaders><RequestId>591ac8db-0435-4c53-9b01-e3756ea9c55d</RequestId><Arguments><ArgumentName="Operation"Value="ItemLookup"></Argument><ArgumentName="Service"Value="AWSECommerceService"></Argument>...<ArgumentName="ResponseGroup"Value="Small"></Argument></Arguments><RequestProcessingTime>0.0083090000000000</RequestProcessingTime></OperationRequest><Item><Request><IsValid>True</IsValid><ItemLookupRequest><IdType>ASIN</IdType><ItemId>0545010225</ItemId>...</ItemLookupRequest></Request><Item><ASIN>0545010225</ASIN><DetailPageURL>http://www.amazon.com/Harry-Potter-Deathly-Hallows-Book...</DetailPageURL><ItemLinks><ItemLink><Description>TechnicalDetails</Description><URL>http://www.amazon.com/Harry-Potter-Deathly-Hallows-Book...</URL></ItemLink>...<ItemLink><Description>AddToWeddingRegistry</Description><URL>http://www.amazon.com/gp/registry/wedding/add-item.html...</URL></ItemLink>...</ItemLinks><ItemAttributes><Author>J.K.Rowling</Author><CreatorRole="Illustrator">MaryGrandPré</Creator><Manufacturer>ArthurA.LevineBooks</Manufacturer><ProductGroup>Book</ProductGroup><Title>HarryPotterandtheDeathlyHallows(Book7)</Title></ItemAttributes></Item></Items></ItemLookupResponse>
Even a cursory look at the XML makes clear, to anyone who has searched on the Amazon website, that the web service response contains essentially the same information as the corresponding HTML page viewed in a browser visit. For example, there is an XML element labeled:
AddToWeddingRegistry(line1)
Amazon’s goal is to make the website and the web service deliver the same information and the same functionality but in different formats: the website delivers HTML documents, whereas the web service delivers XML documents.
With the response XML in hand, the RestfulAmazon client then parses the document to extract, as
proof of concept, the author’s name, J. K. Rowling. The code uses the relatively old-fashioned
DOM parser, implemented as the standard Java DocumentBuilder class.
Here is the relevant code segment:
Documentdoc=builder.parse(bais);NodeListresults=doc.getElementsByTagName("Author");for(inti=0;i<results.getLength();i++){Elemente=(Element)results.item(i);NodeListnodes=e.getChildNodes();for(intj=0;j<nodes.getLength();j++){Nodechild=nodes.item(j);if(child.getNodeType()==Node.TEXT_NODE)
author=child.getNodeValue();}}
The code first builds the DOM tree structure from the Amazon response bytes (line 1) and
then gets a list, in this case a list of one element, from DOM elements tagged as Author.
The author’s name, J. K. Rowling, occurs as the contents of a TEXT_NODE (line 3). The
parse deals with the usual complexities of the tree structure that a DOM represents.
Similar DOM searches could extract from Amazon’s XML response document any other information of interest,
for example, the book’s ISBN number.
The RequestHelper class (see Example 3-3) has one job: format the HTTP GET request in accordance with Amazon’s
strict requirements. This class acts as a utility that hides many low-level details, but a quick
overview should provide some insight about what the E-Commerce service requires in a well-formed request.
Recall that a request against the E-Commerce service requires both an accessId and a secretKey but
the two play quite different roles in the request. The accessId occurs as a value in a key/value pair, with
AWSAccessKeyId as the key (line 2). There is also a key/value pair for the timestamp that the E-Commerce
service requires (line 3); hence, the accessId and the timestamp are peers. Amazon uses the timestamp to
ensure that the requests are timely—that is, recently constructed.
Example 3-3. The utility class RequestHelper, which supports the RestfulAmazon class
packagerestful;importjava.io.UnsupportedEncodingException;importjava.net.URLDecoder;importjava.net.URLEncoder;importjava.text.DateFormat;importjava.text.SimpleDateFormat;importjava.util.Calendar;importjava.util.HashMap;importjava.util.Iterator;importjava.util.Map;importjava.util.SortedMap;importjava.util.TimeZone;importjava.util.TreeMap;importjavax.crypto.Mac;importjavax.crypto.spec.SecretKeySpec;importorg.apache.commons.codec.binary.Base64;publicclassRequestHelper{privatestaticfinalStringutf8="UTF-8";privatestaticfinalStringhmacAlg="HmacSHA256";privatestaticfinalStringrequestUri="/onca/xml";privatestaticfinalStringrequestMethod="GET";privateStringendpoint=null;privateStringaccessKeyId=null;privateStringsecretKey=null;privateSecretKeySpecsecretKeySpec=null;privateMacmac=null;publicRequestHelper(Stringendpoint,StringaccessKeyId,StringsecretKey){if(endpoint==null||endpoint.length()==0)thrownewRuntimeException("The endpoint is null or empty.");if(null==accessKeyId||accessKeyId.length()==0)thrownewRuntimeException("The accessKeyId is null or empty.");if(null==secretKey||secretKey.length()==0)thrownewRuntimeException("The secretKey is null or empty.");this.endpoint=endpoint.toLowerCase();this.accessKeyId=accessKeyId;this.secretKey=secretKey;try{byte[]secretKeyBytes=this.secretKey.getBytes(utf8);this.secretKeySpec=newSecretKeySpec(secretKeyBytes,hmacAlg);this.mac=Mac.getInstance(hmacAlg);this.mac.init(this.secretKeySpec);}catch(Exceptione){thrownewRuntimeException(e);}}publicStringsign(Map<String,String>params){params.put("AWSAccessKeyId",this.accessKeyId);params.put("Timestamp",this.timestamp());// The parameters need to be processed in lexicographical order, with// sorting on the first byte: a TreeMap is perfect for this.SortedMap<String,String>sortedParamMap=
newTreeMap<String,String>(params);// Ensure canonical form of the query string, as Amazon REST is fussy.StringcanonicalQS=this.canonicalize(sortedParamMap);
// Prepare the signature with grist for the mill.StringtoSign=requestMethod+"\n"+this.endpoint+"\n"+requestUri+"\n"+canonicalQS;Stringhmac=this.hmac(toSign);Stringsig=null;try{sig=URLEncoder.encode(hmac,utf8);}catch(UnsupportedEncodingExceptione){System.err.println(e);}Stringurl=
"http://"+this.endpoint+requestUri+"?"+canonicalQS+"&Signature="+sig;returnurl;}publicStringsign(StringqueryString){Map<String,String>params=this.createParameterMap(queryString);returnthis.sign(params);}privateStringhmac(StringstringToSign){Stringsignature=null;byte[]data;byte[]rawHmac;try{data=stringToSign.getBytes(utf8);rawHmac=mac.doFinal(data);Base64encoder=newBase64();
signature=newString(encoder.encode(rawHmac));}catch(UnsupportedEncodingExceptione){thrownewRuntimeException(utf8+" is unsupported!",e);}returnsignature;}// Amazon requires an ISO-8601 timestamp.privateStringtimestamp(){Stringtimestamp=null;Calendarcal=Calendar.getInstance();DateFormatdfm=newSimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");dfm.setTimeZone(TimeZone.getTimeZone("GMT"));timestamp=dfm.format(cal.getTime());returntimestamp;}privateStringcanonicalize(SortedMap<String,String>sortedParamMap){if(sortedParamMap.isEmpty())return"";StringBufferbuffer=newStringBuffer();Iterator<Map.Entry<String,String>>iter=sortedParamMap.entrySet().iterator();while(iter.hasNext()){Map.Entry<String,String>kvpair=iter.next();buffer.append(encodeRfc3986(kvpair.getKey()));buffer.append("=");buffer.append(encodeRfc3986(kvpair.getValue()));if(iter.hasNext())buffer.append("&");}returnbuffer.toString();}// Amazon requires RFC 3986 encoding, which the URLEncoder may not get right.privateStringencodeRfc3986(Strings){Stringout;try{out=URLEncoder.encode(s,utf8).replace("+","%20").replace("*","%2A").replace("%7E","~");}catch(UnsupportedEncodingExceptione){out=s;}returnout;}privateMap<String,String>createParameterMap(StringqueryString){Map<String,String>map=newHashMap<String,String>();String[]pairs=queryString.split("&");for(Stringpair:pairs){if(pair.length()<1)continue;String[]tokens=pair.split("=",2);for(intj=0;j<tokens.length;j++){try{tokens[j]=URLDecoder.decode(tokens[j],utf8);}catch(UnsupportedEncodingExceptione){}}switch(tokens.length){case1:{if(pair.charAt(0)=='=')map.put("",tokens[0]);elsemap.put(tokens[0],"");break;}case2:{map.put(tokens[0],tokens[1]);break;}}}returnmap;}}
The secretKey plays a different role than does the accessId. The secretKey is used to initialize a
message authentication code (MAC), which the Java javax.crypto.Mac class represents. (The initialization occurs in the try
block that begins on line 1.)
Amazon requires a particular type of MAC, an HMAC (Hash Message Authentication Code) that uses the
SHA-256 algorithm (Secure Hash Algorithm that generates a 256-bit hash). The important security point is
that the secretKey itself does not go over the wire from the client to Amazon. Instead the secretKey
is used to initialize the process that generates a message digest (hash value). Finally, this hash value is
encoded in base64 (line 7). Amazon calls the result a signature, which occurs as the value in a key/value pair
whose key is Signature (line 6).
There is a final preparatory step. The E-Commerce service expects, in a GET request, that the query string
key/value pairs be in sorted order. The RequestHelper uses a TreeMap, as this data structure is ideally
suited for the task (line 4). The properly formatted query string results from a call to canonicalize;
this query string is then appended to the base URL for the Amazon E-Commerce service.
Not every commercial site is as fussy as Amazon when it comes to request formatting. This first Amazon example shows that generating a correctly formatted RESTful request may be nontrivial. This client also explicitly parses the returned XML. The next client addresses the issue of how to avoid such parsing. Before looking at the code for the second client, however, it will be useful to focus on the JAX-B utilities used in the second client.