What to be aware of when using the included BFCC_Container( ) function
The standard deployment strategy for CloudContainer is to use the custom function provided in the sample file to generate links to use in web viewers on your layouts. This provides a quick and easy way to get working CloudContainer URLs into your web viewers without having to do any extra scripting or configuration.
When you do this, the API key is embedded in the web viewer URL, which grants the user access to view and store files at the URL provided. If a user captures that API key, such as when it is exposed to a browser in WebDirect, it is possible for them to change the CloudContainer URL and upload, edit, or delete files other than the one you are specifically granting them access to.
While this may be an acceptable level of security for many internal deployments being only used by a select group of people, there may be cases where you would want to lock down your container access a bit more. This would not be a good solution if you wanted to have a place to upload files on a public-facing WebDirect solution, for example. In a case like that you would want to sure the public users only have access to the specific URL you want them to use.
Increasing security using signed URLs
CloudContainer supports generating pre-signed, expiring URLs to use in your web viewers. These generated URLs cannot be changed by users without invalidating the link and also expire after a time limit that you specify. You can use signed URLs to safely grant a use access to a single CloudContainer and only for a limited amount of time.
The BFCC_GetSignedURL function can be used to get the address to query to get a signed URL for a particular container. This function takes the document UUID and an expiration in seconds which is counted from the time the URL is generated.
Here is an example of using the BFCC_ContainerSigned function to generate and use a secure, signed URL.
Insert from URL [ Select ; With dialog: Off ; Target: $url ; BFCC_ContainerSigned ( Document::uuid ; 600 ) ; Verify SSL Certificates ] Set Web Viewer [ Object Name: "cloudcontainer wv" ; URL: $url ]
In this example we call BFCC_ContainerSigned in an Insert From URL script step. We pass in the document UUID which we want to generate the link for as well as the number of seconds we want the link to be valid for (600 seconds, 10 minutes). This insert from URL script step gets a signed URL from the CloudContainer server and stores it in the $url variable. We then use this variable in the next step to direct the web viewer to the secure, expiring URL.
If the user tries to upload or delete a file at this address after 10 minutes they will receive an error, even if the container has already loaded in the web viewer on the screen.
An example of using signed URLs can be found in the “Get and Show Signed URL” script in the CloudContainer demo file.