本文主要結合服務端STS獲取臨時憑證(簽名)直傳官方文檔對開發中比較容易出錯的地方加以提醒；建議主要還是以官方文檔為主。本文中的代碼幾乎就是官方給的代碼示例。
閱讀前請先比對OSS版本，這可能關系到本文中列舉的坑是否能解決你的問題

		<dependency><groupId>com.aliyun.oss</groupId><artifactId>aliyun-sdk-oss</artifactId><version>3.17.4</version></dependency><dependency><groupId>com.aliyun</groupId><artifactId>sts20150401</artifactId><version>1.1.6</version></dependency>

只不過重要的OSS基本參數官方建議給到環境變量中；本文直接將重要的OSS基礎信息給到了Spring主配置文件中（方便后期遷移到Nacos的配置中心管理），知道了這一點，在接下來代碼閱讀的過程中看到如下的代碼片段也就不陌生了。

接下來也將OSS基本參數封裝成AliOSSProp的代碼順手貼出來

/*** oss的基礎信息* prefix = "alibaba.oss"表示Spring、Springboot主配置文件中以alibaba.oss打頭的自定義參數值，都將一 一映射到當前類的屬性上*/
@ConfigurationProperties(prefix = "alibaba.oss")
@Component
@Getter
@Setter
public class AliOSSProp {private String accessKeyId;private String secretAccessKey;/*** 確保獲取臨時訪問憑證時Endpoint使用STS域名，例如String endpoint = "sts.cn-hangzhou.aliyuncs.com"。* 更多信息，請參見步驟五：獲取臨時訪問憑證。* https://help.aliyun.com/document_detail/100624.html?spm=api-workbench.Troubleshoot.0.0.5ba77185ILElOT#section-5xa-zdn-s0q*/private String endpoint;private String bucket;/*** RAM 訪問控制/身份管理/角色/ARN屬性值*/private String roleArn;private String region;
}

配置OSS

這個在官方文檔中有很詳細的教程，不多贅述

服務端代碼

服務端最主要的事情：使用STS生成一個臨時的憑證給客戶端使用；客戶端拿到該臨時憑證就可以直接將文件上傳至OSS

初始化STS Client

這里有個點需要注意：endpoint 需要添加sts.前綴,
考慮到STS Client只需要初始化一次，所以將其注冊為一個Bean

@Beanpublic com.aliyun.sts20150401.Client ossStsClient() throws Exception {// 工程代碼泄露可能會導致 AccessKey 泄露，并威脅賬號下所有資源的安全性。以下代碼示例僅供參考。com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()// 必填，請確保代碼運行環境設置了環境變量 OSS_ACCESS_KEY_ID。.setAccessKeyId(aliOSSProp.getAccessKeyId())// 必填，請確保代碼運行環境設置了環境變量 OSS_ACCESS_KEY_SECRET。.setAccessKeySecret(aliOSSProp.getSecretAccessKey());// Endpoint 請參考 https://api.aliyun.com/product/Sts// 確保獲取臨時訪問憑證時Endpoint使用STS域名config.endpoint = "sts."+aliOSSProp.getEndpoint();return new com.aliyun.sts20150401.Client(config);}

獲取STS臨時憑證

這部分沒有什么需要注意的點，可以完全照搬

import com.aliyun.sts20150401.models.AssumeRoleResponseBody;
import com.aliyun.oss.OSSException;/*** 獲取STS臨時憑證* @return AssumeRoleResponseBodyCredentials 對象*/private AssumeRoleResponseBody.AssumeRoleResponseBodyCredentials getCredential(){com.aliyun.sts20150401.models.AssumeRoleRequest assumeRoleRequest = new com.aliyun.sts20150401.models.AssumeRoleRequest()// 必填，請確保代碼運行環境設置了環境變量 OSS_STS_ROLE_ARN.setRoleArn(aliOSSProp.getRoleArn()).setRoleSessionName("idooyRoleSessionName");// 自定義會話名稱com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions();try {// 復制代碼運行請自行打印 API 的返回值com.aliyun.sts20150401.models.AssumeRoleResponse response = ossStsClient.assumeRoleWithOptions(assumeRoleRequest, runtime);// credentials里包含了后續要用到的AccessKeyId、AccessKeySecret和SecurityToken。return response.body.credentials;} catch (TeaException error) {// 此處僅做打印展示，請謹慎對待異常處理，在工程項目中切勿直接忽略異常。// log.error("STS方式獲取臨時憑證失敗原因===》{}",error.getMessage());throw new OSSException("STS方式獲取臨時憑證失敗原因===》"+error.getMessage());} catch (Exception e) {throw new OSSException(e.getMessage());}}

創建policy計算SigningKey

這部分的代碼很長，但是注釋很清晰；當然也不需要完全搞懂，照搬就好。

• 這部分代碼中的魔法值(String字面量)要小心，別無意間給修改或者給粘錯了
• 這部分使用了三種日期格式，分別是：“yyyyMMdd’T’HHmmss’Z’”、“yyyyMMdd”、“yyyy-MM-dd’T’HH:mm:ss.SSS’Z’”。注意區分
• uploadDir 變量值請自定義修改
• 官方直接將結果塞進了map中，本文將其封裝為了一個DTO對象

@Resourceprivate com.aliyun.sts20150401.Client ossStsClient;/***     指定過期時間，單位為秒。*/private static final Long EXPIRE_TIME = 3600L;private static final String TIME_FORMAT_PATTERN_1 = "yyyyMMdd'T'HHmmss'Z'";/*** 定義日期時間格式*/private static final String TIME_FORMAT_PATTERN_2 = "yyyyMMdd";@ResourceAliOSSProp aliOSSProp;/*** 還是“服務端驗簽web端直傳的方式”只不過采用了更加安全的STS方式* @return*/@Overridepublic STSPolicyDTO getSTSUploadPolicy() throws JsonProcessingException {String host = "https://" + aliOSSProp.getBucket() + "." + aliOSSProp.getEndpoint();// 設置上傳到OSS文件的前綴，可置空此項。置空后，文件將上傳至Bucket的根目錄下;每一天產生一個文件夾// brand/是自定義目錄String uploadDir = "brand/"+LocalDate.now();String region = aliOSSProp.getRegion();// 臨時的憑證信息AssumeRoleResponseBody.AssumeRoleResponseBodyCredentials credential = getCredential();String accessKeyId =  credential.getAccessKeyId();String accessKeySecret =  credential.getAccessKeySecret();String securityToken =  credential.getSecurityToken();//獲取x-oss-credential里的date，當前日期，格式為yyyyMMddZonedDateTime today = ZonedDateTime.now().withZoneSameInstant(ZoneOffset.UTC);DateTimeFormatter formatter = DateTimeFormatter.ofPattern(TIME_FORMAT_PATTERN_2);String date = today.format(formatter);//獲取x-oss-dateZonedDateTime now = ZonedDateTime.now().withZoneSameInstant(ZoneOffset.UTC);DateTimeFormatter formatter2 = DateTimeFormatter.ofPattern(TIME_FORMAT_PATTERN_1);String x_oss_date = now.format(formatter2);// 步驟1：創建policy。String x_oss_credential = accessKeyId + "/" + date + "/" + region + "/oss/aliyun_v4_request";ObjectMapper mapper = new ObjectMapper();Map<String, Object> policy = new HashMap<>();policy.put("expiration", OSSUtil.generateExpiration(EXPIRE_TIME));List<Object> conditions = new ArrayList<>();Map<String, String> bucketCondition = new HashMap<>();bucketCondition.put("bucket", aliOSSProp.getBucket());conditions.add(bucketCondition);Map<String, String> securityTokenCondition = new HashMap<>();securityTokenCondition.put("x-oss-security-token", securityToken);conditions.add(securityTokenCondition);Map<String, String> signatureVersionCondition = new HashMap<>();signatureVersionCondition.put("x-oss-signature-version", "OSS4-HMAC-SHA256");conditions.add(signatureVersionCondition);Map<String, String> credentialCondition = new HashMap<>();credentialCondition.put("x-oss-credential", x_oss_credential); // 替換為實際的 access key idconditions.add(credentialCondition);Map<String, String> dateCondition = new HashMap<>();dateCondition.put("x-oss-date", x_oss_date);conditions.add(dateCondition);conditions.add(Arrays.asList("content-length-range", 1, 10240000));conditions.add(Arrays.asList("eq", "$success_action_status", "200"));conditions.add(Arrays.asList("starts-with", "$key", uploadDir));policy.put("conditions", conditions);String jsonPolicy = mapper.writeValueAsString(policy);// 步驟2：構造待簽名字符串（StringToSign）。// String stringToSign = new String(Base64.encodeBase64(jsonPolicy.getBytes()));String stringToSign = cn.hutool.core.codec.Base64.encode(jsonPolicy.getBytes());// System.out.println("stringToSign: " + stringToSign);// 步驟3：計算SigningKey。byte[] dateKey = OSSUtil.getHmacSHA256(("aliyun_v4" + accessKeySecret).getBytes(), date);byte[] dateRegionKey = OSSUtil.getHmacSHA256(dateKey, region);byte[] dateRegionServiceKey = OSSUtil.getHmacSHA256(dateRegionKey, "oss");byte[] signingKey = OSSUtil.getHmacSHA256(dateRegionServiceKey, "aliyun_v4_request");// System.out.println("signingKey: " + BinaryUtil.toBase64String(signingKey));// 步驟4：計算Signature。byte[] result = OSSUtil.getHmacSHA256(signingKey, stringToSign);String signature = BinaryUtil.toHex(result);return new STSPolicyDTO().setPolicy(stringToSign).setX_oss_credential(x_oss_credential).setX_oss_date(x_oss_date).setSignature(signature).setSecurity_token(securityToken).setDir(uploadDir).setHost(host);}

OSSUtil.java

public class OSSUtil {private OSSUtil() {}/*** 定義日期時間格式，例如2023-12-03T13:00:00.000Z*/public static final String TIME_FORMAT_PATTERN = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'";public static byte[] getHmacSHA256(byte[] key, String data) {try {// 初始化HMAC密鑰規格，指定算法為HMAC-SHA256并使用提供的密鑰。SecretKeySpec secretKeySpec = new SecretKeySpec(key, "HmacSHA256");// 獲取Mac實例，并通過getInstance方法指定使用HMAC-SHA256算法。Mac mac = Mac.getInstance("HmacSHA256");// 使用密鑰初始化Mac對象。mac.init(secretKeySpec);// 執行HMAC計算，通過doFinal方法接收需要計算的數據并返回計算結果的數組。byte[] hmacBytes = mac.doFinal(data.getBytes());return hmacBytes;} catch (Exception e) {throw new RuntimeException("Failed to calculate HMAC-SHA256", e);}}/*** 通過指定有效的時長（秒）生成過期時間。** @param seconds 有效時長（秒）。* @return ISO8601 時間字符串，如："2014-12-01T12:00:00.000Z"。*/public static String generateExpiration(long seconds) {// 獲取當前時間戳（以秒為單位）long now = Instant.now().getEpochSecond();// 計算過期時間的時間戳long expirationTime = now + seconds;// 將時間戳轉換為Instant對象，并格式化為ISO8601格式Instant instant = Instant.ofEpochSecond(expirationTime);// 定義時區為UTCZoneId zone = ZoneOffset.UTC;// 將 Instant 轉換為 ZonedDateTimeZonedDateTime zonedDateTime = instant.atZone(zone);// 定義日期時間格式，例如2023-12-03T13:00:00.000ZDateTimeFormatter formatter = DateTimeFormatter.ofPattern(TIME_FORMAT_PATTERN);// 格式化日期時間String formattedDate = zonedDateTime.format(formatter);// 輸出結果return formattedDate;}}

STSPolicyDTO.java

@Getter
@Setter
@Accessors(chain = true)
public class STSPolicyDTO {/*** 官方代碼示例中給的“"OSS4-HMAC-SHA256"”*/private String version="OSS4-HMAC-SHA256";private String policy;private String x_oss_credential;private String x_oss_date;private String signature;private String security_token;private String dir;private String host;
}

提供接口

@RestController
@RequestMapping("/oss")
@Api("OSS文件上傳驗簽")
public class AliOSSController {final AliOSSService ossService;public AliOSSController(AliOSSService ossService) {this.ossService = ossService;}/*** oss上傳文件：使用服務端驗簽web直傳的方式* 該接口提供web直傳所必須的驗簽信息* 文檔地址：https://help.aliyun.com/zh/oss/use-cases/obtain-signature-information-from-the-server-and-upload-data-to-oss?spm=a2c4g.11186623.help-menu-31815.d_6_1_0_0.386b4acdkrwKDc&scm=20140722.H_31926._.OR_help-T_cn~zh-V_1* @return*/@GetMapping("policy")@ApiOperation("STS驗簽V4版")public R<STSPolicyDTO> policy() throws JsonProcessingException {// UploadPolicyDTO uploadPolicy = ossService.getUploadPolicy();STSPolicyDTO uploadPolicy = ossService.getSTSUploadPolicy();return R.ok().data(uploadPolicy);}}

接口的響應數據示例

{"success": true,"code": 2000,"message": "成功","data": {"version": "OSS4-HMAC-SHA256","policy": "eyJleHBpcmF0aW9uIjoiMjAyNS0wNy0zMFQxNToyMjowNy4wMDBaIiwiY29uZGl0aW9ucyI6W3siYnVja2V0IjoiaWRvb3ktbWFsbCJ9LHsieC1vc3Mtc2VjdXJpdHktdG9rZW4iOiJDQUlTelFKMXE2RnQ1QjJ5ZlNqSXI1blFFZXo1aDVzVjRZYXpZM1BjZ1ZFZGFkcGl2cFB5aWp6MklIaE1lWEJoQStrZHR2b3duMnBaN3Z3Y2xyMXlSNWhDVkhiRGFjWkw0NDlNOEFTblJZUEV0cFFiWm1DelpjYjNkMUtJQWp2WGdlWHdBWXlnUHY2L0Y5NnBiMWZiN0Z3UnBaTHhhVFNsV1hHOExKU05rdVFKUjk4TFh3NitIMUVrYlpVc1VXa0Vrc0lCTW1iTFB2dUFLd1BqaG5HcWJIQmxvUTFoazJoeW04L2RxNCsra2tPRzBnU2xsYkJPKzltdWNzUDdNWmxXVWMwaEE0dnY3b3RmYmJIYzFTTmMwUjlPK1pwdGdiWk1rVFc5NVluRlhnQUF1VXpkYTdTTHFZYytkRlVuZk00OUFMVUJzL1gyME9CZ3Z1dmFtNVJIYk9USnNUek1PczYyWmZkRG9LT3NjSXZCWHI2eUpRamxvSElPQzZpd0xHL3pxUzBtVjJBNTlmOG1GQ0haMG9hWjZOSDlvOXdiODBKR0ZZRURvL1phcHNKdXFzSkpPdUtlcEE2QVZ0VW44QVhuSzkwYWdBRWloRDByMzE0TnNadUp6UHFkbkF3aUVXWjhWdWFvWlZUUzl0eTdmTW1vUTRIaGsrODE3U3BqeWVvMloycGo3T21zaFVWRmpKNFN5cjVsMWo2VFM3aVBqcFZlRG1xZjhtZ0tRc2F0bFdReHFwdk9MQmIray9QTktNei9kRXA4RFF3clg3S2x6b1RVRTA4bndKK0dqeEFFd0FkVWh3blBBbk14dVlXTEZrdUtZQ0FBIn0seyJ4LW9zcy1zaWduYXR1cmUtdmVyc2lvbiI6Ik9TUzQtSE1BQy1TSEEyNTYifSx7Ingtb3NzLWNyZWRlbnRpYWwiOiJTVFMuTlplWlZNakQ0VkRYYVVtZVFIZVVOUVZZaC8yMDI1MDczMC9jbi1jaGVuZ2R1L29zcy9hbGl5dW5fdjRfcmVxdWVzdCJ9LHsieC1vc3MtZGF0ZSI6IjIwMjUwNzMwVDE0MjIwN1oifSxbImNvbnRlbnQtbGVuZ3RoLXJhbmdlIiwxLDEwMjQwMDAwXSxbImVxIiwiJHN1Y2Nlc3NfYWN0aW9uX3N0YXR1cyIsIjIwMCJdLFsic3RhcnRzLXdpdGgiLCIka2V5IiwiYnJhbmQvMjAyNS0wNy0zMCJdXX0=","x_oss_credential": "STS.NZeZVMjD4VDXaUmeQHeUNQVYh/20250730/cn-chengdu/oss/aliyun_v4_request","x_oss_date": "20250730T142207Z","signature": "e583ba3040d9ac4544b4008f7193edf30fdef75cca6d4ca0e449150cf4904165","security_token": "CAISzQJ1q6Ft5B2yfSjIr5nQEez5h5sV4YazY3PcgVEdadpivpPyijz2IHhMeXBhA+kdtvown2pZ7vwclr1yR5hCVHbDacZL449M8ASnRYPEtpQbZmCzZcb3d1KIAjvXgeXwAYygPv6/F96pb1fb7FwRpZLxaTSlWXG8LJSNkuQJR98LXw6+H1EkbZUsUWkEksIBMmbLPvuAKwPjhnGqbHBloQ1hk2hym8/dq4++kkOG0gSllbBO+9mucsP7MZlWUc0hA4vv7otfbbHc1SNc0R9O+ZptgbZMkTW95YnFXgAAuUzda7SLqYc+dFUnfM49ALUBs/X20OBgvuvam5RHbOTJsTzMOs62ZfdDoKOscIvBXr6yJQjloHIOC6iwLG/zqS0mV2A59f8mFCHZ0oaZ6NH9o9wb80JGFYEDo/ZapsJuqsJJOuKepA6AVtUn8AXnK90agAEihD0r314NsZuJzPqdnAwiEWZ8VuaoZVTS9ty7fMmoQ4Hhk+817Spjyeo2Z2pj7OmshUVFjJ4Syr5l1j6TS7iPjpVeDmqf8mgKQsatlWQxqpvOLBb+k/PNKMz/dEp8DQwrX7KlzoTUE08nwJ+GjxAEwAdUhwnPAnMxuYWLFkuKYCAA","dir": "brand/2025-07-30","host": "目標bucket的公網訪問域名"}
}

Apifox模擬Web端文件直傳

文件上傳的地址，就是你自己目標bucket的公網訪問域名，也可以直接從上面接口的響應字段host獲取,這部分就是結合自己的前端項目自行開發。將上傳的參數名稱做個簡單的說明。
請求參數名稱：

{"success_action_status", "200""policy", data.policy"x-oss-signature", data.signature"x-oss-signature-version", "OSS4-HMAC-SHA256""x-oss-credential", data.x_oss_credential"x-oss-date", data.x_oss_date"key", data.dir + file.name // 文件名"x-oss-security-token", data.security_token"file", file); // file 必須為最后一個表單域
}                

沒啥文章功底，主要是站在自己的角度一通記錄而已；多包涵，歡迎在評論區討論共同學習。