locked
Shared Signatures in Containers are not working as expected RRS feed

  • Question

  • Hi,

    There are two ways of get a container shared signature:

    • The first, is how MSDN explains it and it works.
    • The second is how apparently it could also be done (because there is a method overload with that purpouse) but it doesn't work. I get a forbidden exception.

     

    // http://msdn.microsoft.com/en-us/library/ee772877.aspx
    
     [TestMethod]
     public void CreateSASUsingContainerAccessPolicy1()
     {
      String randomContainerName = new Random(DateTime.Now.Millisecond).Next(0, 999999).ToString("000000");
      
      CloudStorageAccount storageAccount = CloudStorageAccount.Parse("UseDevelopmentStorage=true");
      CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
      CloudBlobContainer container = blobClient.GetContainerReference(randomContainerName);
      container.CreateIfNotExist();
    
      BlobContainerPermissions containerPermissions = new BlobContainerPermissions();
      containerPermissions.SharedAccessPolicies.Add("mypolicy", new SharedAccessPolicy()
      {
      SharedAccessStartTime = DateTime.Now,
      SharedAccessExpiryTime = DateTime.Now.AddHours(10),
      Permissions = SharedAccessPermissions.Read
      });
      containerPermissions.PublicAccess = BlobContainerPublicAccessType.Off;
      container.SetPermissions(containerPermissions);
    
      var blob = container.GetBlobReference("yepa.txt");
      blob.Properties.ContentType = @"text/plain";
      blob.UploadText("hello hello hello hello hello hello hello");
      
      string sas = container.GetSharedAccessSignature(new SharedAccessPolicy(), "mypolicy");
    
      HttpWebRequest req = (HttpWebRequest)HttpWebRequest.Create(blob.Uri.ToString() + sas);
      var response = req.GetResponse();
    
      Assert.AreEqual(HttpStatusCode.OK, ((HttpWebResponse)response).StatusCode, "sas failed");
      Assert.AreEqual(@"text/plain", response.ContentType, "sas returned wrong content-type");
     }
    
     [TestMethod]
     public void CreateSASUsingContainerAccessPolicy2()
     {
      String randomContainerName = new Random(DateTime.Now.Millisecond).Next(0, 999999).ToString("000000");
    
      CloudStorageAccount storageAccount = CloudStorageAccount.Parse("UseDevelopmentStorage=true");
      CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
      CloudBlobContainer container = blobClient.GetContainerReference(randomContainerName);
      container.CreateIfNotExist();
    
      BlobContainerPermissions containerPermissions = new BlobContainerPermissions();
      containerPermissions.PublicAccess = BlobContainerPublicAccessType.Off;
      container.SetPermissions(containerPermissions);
    
      var blob = container.GetBlobReference("yepa.txt");
      blob.Properties.ContentType = @"text/plain";
      blob.UploadText("hello hello hello hello hello hello hello");
    
      string sas = container.GetSharedAccessSignature(new SharedAccessPolicy()
      {
      SharedAccessStartTime = DateTime.Now,
      SharedAccessExpiryTime = DateTime.Now.AddHours(10),
      Permissions = SharedAccessPermissions.Read
      });
    
      HttpWebRequest req = (HttpWebRequest)HttpWebRequest.Create(blob.Uri.ToString() + sas);
      var response = req.GetResponse();
    
      Assert.AreEqual(HttpStatusCode.OK, ((HttpWebResponse)response).StatusCode, "sas failed");
      Assert.AreEqual(@"text/plain", response.ContentType, "sas returned wrong content-type");
     }
    

     

     

    I'm using 1.4

     


    .: Valeriano Tórtola MCTS WPF :.: http://www.vtortola.net :.

    Thursday, March 31, 2011 10:36 AM

Answers

  • Hi Valeriano,
     When you do not use a policy associated with container for SAS, the maximum expiry time is 1 hour. The first test uses container level access policy and hence is allowed to specify an expiry of 10 hours.

     Here is an excerpt from document:
       If a signed identifier is not specified as part of the Shared Access Signature, the maximum permissible interval over which the signature is valid is one hour

    In the second test, use the following code:

     string sas = container.GetSharedAccessSignature(new SharedAccessPolicy()
     {
     SharedAccessStartTime = DateTime.Now,
     SharedAccessExpiryTime = DateTime.Now.AddHours(<strong>1</strong>),
     Permissions = SharedAccessPermissions.Read
     });
    

    Thanks,
    Jai

     

     

    • Marked as answer by vtortola Friday, April 1, 2011 8:40 AM
    Thursday, March 31, 2011 5:22 PM

All replies

  • Hi Valeriano,
     When you do not use a policy associated with container for SAS, the maximum expiry time is 1 hour. The first test uses container level access policy and hence is allowed to specify an expiry of 10 hours.

     Here is an excerpt from document:
       If a signed identifier is not specified as part of the Shared Access Signature, the maximum permissible interval over which the signature is valid is one hour

    In the second test, use the following code:

     string sas = container.GetSharedAccessSignature(new SharedAccessPolicy()
     {
     SharedAccessStartTime = DateTime.Now,
     SharedAccessExpiryTime = DateTime.Now.AddHours(<strong>1</strong>),
     Permissions = SharedAccessPermissions.Read
     });
    

    Thanks,
    Jai

     

     

    • Marked as answer by vtortola Friday, April 1, 2011 8:40 AM
    Thursday, March 31, 2011 5:22 PM
  • Right.

    As far as I know, there is also a limitation of 5 shared signatures per container. Where can I find information about that?

    Thanks.


    .: Valeriano Tórtola MCTS WPF :.: http://www.vtortola.net :.
    Friday, April 1, 2011 8:39 AM
  • Yes, there is a limit. That information can be found as link in the above mentioned doc.

    Thanks,

    jai

    Friday, April 1, 2011 1:41 PM