|
Discussion Forums
|
Thread: Typo in Developer's Guide causes authentication problems over REST
|
|
|
Replies:
22
-
Pages:
2
[
1
2
| Next
]
-
Last Post:
Jun 26, 2009 1:10 PM
by: Special K
|
|
|
Posts:
40
Registered:
3/20/07
|
|
|
|
Typo in Developer's Guide causes authentication problems over REST
Posted:
Feb 14, 2008 12:09 AM PST
|
|
|
I just spent way too long figuring this out. Kept getting this error:
AWS was not able to authenticate the request: access credentials are missing
Turns out the D in AWSAccessKeyId is supposed to be lowercase. The Developer's Guide API Reference has it listed in uppercase.
|
|
Posts:
207
Registered:
9/5/06
|
|
|
|
Re: Typo in Developer's Guide causes authentication problems over REST
Posted:
Feb 14, 2008 9:55 AM PST
in response to: illustratedlife
|
|
|
Great catch. We will fix the typo. Apologize for causing your headache.
|
|
Posts:
40
Registered:
3/20/07
|
|
|
|
Re: Typo in Developer's Guide causes authentication problems over REST
Posted:
Feb 14, 2008 12:13 PM PST
in response to: Aleksey@AWS
|
|
|
Thanks Aleksey.
I'm writing a SimpleDB interface in Actionscript. I'm bumping up against Adobe's security sandbox because sdb.amazonaws.com does not have a cross-domain policy.
http://sdb.amazonaws.com/crossdomain.xml should return:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
|
Can you please post crossdomain.xml file to sdb.amazonaws.com?
|
|
Posts:
207
Registered:
9/5/06
|
|
|
|
Re: Typo in Developer's Guide causes authentication problems over REST
Posted:
Feb 15, 2008 10:34 AM PST
in response to: illustratedlife
|
|
|
Setting up cross-domain policies at the root of the service is not something that we generally do, but I will follow-up internally to see if this is an option.
|
|
Posts:
40
Registered:
3/20/07
|
|
|
|
Re: Typo in Developer's Guide causes authentication problems over REST
Posted:
Feb 15, 2008 11:52 AM PST
in response to: Aleksey@AWS
|
|
|
Thanks.
It shouldn't be a difficult decision. You're allowing open access via REST. All a crossdomain will do is allow Flash Player to consume the REST API.
In situations where crossdomaining is not added, do you provide an alternative for Flash developers?
|
|
Posts:
73
Registered:
4/10/06
|
|
|
|
Re: Typo in Developer's Guide causes authentication problems over REST
Posted:
Mar 14, 2008 4:05 PM PDT
in response to: Aleksey@AWS
|
|
|
Any update on when a crossdomain.xml might appear?
This is even more interesting now that the new version of microsoft's silverlight also respects these policy files for client-side calls.
|
|
Posts:
207
Registered:
9/5/06
|
|
|
|
Re: Typo in Developer's Guide causes authentication problems over REST
Posted:
Mar 20, 2008 11:21 AM PDT
in response to: John Spurlock
|
|
|
We appreciate the need of our developers to access Amazon SimpleDB from their Flash applications. However, for security reasons, we will not be able to post a cross domain policy file for Amazon SimpleDB. Should our security policies change at any point in time as we review them, we will post on the forums with any updates. Please continue to provide information about your use cases; they will inform our review process in the future.
In the meantime, one of the common solutions for this issue is to use a web proxy for cross-domain calls. One of the articles that describes that scenario can be found here:
http://developer.yahoo.com/javascript/howto-proxy.html
|
|
Posts:
73
Registered:
4/10/06
|
|
|
|
Re: Typo in Developer's Guide causes authentication problems over REST
Posted:
Mar 20, 2008 4:19 PM PDT
in response to: Aleksey@AWS
|
|
|
Thanks for the response.
Would you mind describing what the security concerns are? Is it something in general or something specific to SimpleDB? Other Amazon services such as A2S host this file:
http://a2s.amazonaws.com/crossdomain.xml
It would seem that these policy files are merely indicators to well-intentioned clients, not a means of security. The same service authentication requirements would apply etc.
The primary benefit of direct service calls from a richer client is in fact to avoid using an intermediate proxy as you suggest.
Thanks,
- John
|
|
Posts:
40
Registered:
3/20/07
|
|
|
|
Re: Typo in Developer's Guide causes authentication problems over REST
Posted:
Mar 20, 2008 7:59 PM PDT
in response to: illustratedlife
|
|
|
I second John's remarks. I don't understand at all why posting a cross domain would be a security problem. As you yourself have noted, a php script or similar instrument has full access to SDB. Omitting a cross-domain doesn't prevent any malicious usage.
Since SDB is designed for outside consumption. it seems only appropriate to have a cross-domain policy indicating such.
|
|
Posts:
548
Registered:
12/28/07
|
|
|
|
Re: Typo in Developer's Guide causes authentication problems over REST
Posted:
Mar 21, 2008 7:58 AM PDT
in response to: John Spurlock
|
|
|
I would also like to know what the security concerns are.
Given that the file would be hosted under sdb.amazonaws.com it would have no impact on any other web service in aws.
And since all requests to sdb would still require the same authentication I'm at a loss for what the security impact is.
|
|
Posts:
376
Registered:
7/17/06
|
|
|
|
Re: Typo in Developer's Guide causes authentication problems over REST
Posted:
Mar 24, 2008 12:20 PM PDT
in response to: illustratedlife
|
|
|
I would suspect that it is to protect developers from themselves. By using actionscript to manipulate SDB, you are handing your access key id and secret access key to anyone who visits your site - hardly something amazon wants to encourage. If the keys are /not/ in the flash file itself, but requests are authorized by another server first (the way it should be), that server can also proxy the request.
|
|
Posts:
40
Registered:
3/20/07
|
|
|
|
Re: Typo in Developer's Guide causes authentication problems over REST
Posted:
Mar 25, 2008 12:37 AM PDT
in response to: bd_
|
|
|
There are ways to get around that problem.
I realize that people placing their secret key in an SWF is not secure, but I don't really feel like that's Amazon's business to police. I can't imagine there will be many non-AIR implementations of simpleDB-as3, but developers should have the option, even if only for personal/internal tools where key security is no big deal. From Amazon's point of view, there's no increased systemic risk. It's the responsibility of the developer to maintain his own account's security.
|
|
Posts:
376
Registered:
7/17/06
|
|
|
|
Re: Typo in Developer's Guide causes authentication problems over REST
Posted:
Mar 25, 2008 8:57 AM PDT
in response to: illustratedlife
|
|
|
True, but this doesn't mean it'll be easy. Think of the support hassles, and liability issues - someone's account is compromised, used for warez, AWS closes the account, user's data's gone. Now what? That's not good publicity, or security. Adding a crossdomain.xml is a nice way to encourage such insecure practices, and so if I were in AWS's position, I definitely would not add one.
If you really want to do something dangerous like this for your own personal use, whitelist the flash program so it doesn't /need/ a crossdomain.xml, or make a Flex app. If you don't have control of the client machine, then you really, really should be proxying it, and doing the authentication on a machine under your control.
|
|
Posts:
40
Registered:
3/20/07
|
|
|
|
Re: Typo in Developer's Guide causes authentication problems over REST
Posted:
Mar 25, 2008 6:56 PM PDT
in response to: illustratedlife
|
|
|
The whitelist would have to be maintained by Amazon, correct? I don't think you can as a developer tell Flash to ignore its own security policies.
|
|
Posts:
376
Registered:
7/17/06
|
|
|
|
Re: Typo in Developer's Guide causes authentication problems over REST
Posted:
Mar 25, 2008 7:03 PM PDT
in response to: illustratedlife
|
|
|
This may be relevant:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html#117164
I'm not particularly familiar with Flash, so I can't really be more specific than that... it could be that there really is no way to override. It doesn't change the fact that this is a very bad idea unless you truly understand the security implications, and I'm sure there are plenty of people who /don't/ understand the security implications, and would assume that anything hidden inside the flash source is safe. (Heck, there are sites out there that check passwords in Javascript...)
|
|
|
|
Sign in to the AWS Management Console
Create an AWS Account
