Question

I m looking to confirm or refute the following:

For what I have read so far it is not possible to write a web application with only javascript -- no server side logic -- served from Amazon S3 that also store data only to S3 if you need to have multiple clients with private data per client.

The issue I see is the Authorization header required for every Ajax call that would force me to put the signature (and my AWS id) right there in the page source for everybody to see.

Is that correct or I misunderstood the docs?

Are there workarounds?

Answer 1

In short, you are correct.

If your AWS key ends-up in any way on the client-side, you are in trouble.

A possible solution is, of course, to have the user specify their AWS key for storing their data.

Answer 2

I m working on a project that will do something similar to this, mine will have the users use their own S3 which I will store in HTML5 localStorage. It s a bit tricky, but I ve got the basics working.

It involves making an Javascript program that replicates itself into S3, gets itself from S3 and then transfers credentials and control into the S3 loaded version.

I m using the excellent SJCL to do signature generation and jQuery s ajax functionality for the parts I can.

My work simply initializes the S3 side application and does a test PUT/GET sequence to S3. I also rewrote a JQuery postMessage plugin (which StackOverflow won t let me post for lack of rep) for communicating between my frames.

In my case, I m trying to fit the entire application into a single HTML file so that I don t have to do as much initial transfer into S3, but perhaps there are other ways to work this out.

Answer 3

iBeans offers a way around this without having to write any server side code. There s an S3 iBean (a developer is working on it to be released in the next few days - watch the mulesoft blog for an announcement) and you can access it right from your javascript. The iBean itself runs on a server so you wouldn t need to store your keys in the javascript.

友情链接