Results 1 to 9 of 9

Thread: Wowza SecureToken and FlowPlayer secure streaming plugin

  1. #1
    Join Date
    Aug 2011
    Posts
    10

    Default Wowza SecureToken and FlowPlayer secure streaming plugin

    Hi All.

    I configured securetoken module as Security guide said.
    I configured flowplayer plugin as flowplayer said: http://flowplayer.org/plugins/streaming/secure.html

    But it does not work: on wowza i obtain this log:
    ModuleSecureToken.onConnect: Action before response received: kill connection: clientId:182808838

    FlowPlayer Conf:

    <a
    href="Extremists.flv"
    style="display:block;width:520px;height:330px"
    id="player">
    </a>

    <!-- this will install flowplayer inside previous A- tag. -->
    <script type="text/javascript">
    flowplayer("player", "../flowplayer-3.2.7.swf",
    {
    clip: {
    url: 'mp4:sample.mp4',
    provider: 'rtmp',
    conectionProvider: 'secure'


    },
    plugins: {
    rtmp: {
    url: '../flowplayer.rtmp-3.2.3.swf',
    netConnectionUrl: 'rtmp://<ip>/rtvcdmsecured'
    },
    secure: {
    // path to the latest version
    url: '../flowplayer.securestreaming-3.2.3.swf',
    // a secure token
    token: 'passtest'
    }
    }
    }
    );
    </script>

    secure token module conf ( Application.xml ):

    <Module>
    <Name>flvplayback</Name>
    <Description>FLVPlayback</Description>
    <Class>com.wowza.wms.module.ModuleFLVPlayback</Class>
    </Module>
    <Module>
    <Name>ModuleSecureToken</Name>
    <Description>ModuleSecureToken</Description>
    <Class>com.wowza.wms.plugin.security.ModuleSecureToken</Class>
    </Module>
    </Modules>
    <!-- Properties defined here will be added to the IApplication.getProperties() and IApplicationInstance.getProperties() collections -->
    <Properties>
    <Property>
    <Name>secureTokenSharedSecret</Name>
    <Value>passtest</Value>
    </Property>
    </Properties>

    Any Help please.

  2. #2
    Join Date
    Dec 2007
    Posts
    28,369

    Default

    The token has to be compiled into the swf. You can refer to the JW Player guide for doing this:

    http://www.wowza.com/forums/content....to-JW-Player-5

    In Flowplayer the file will be different, but the NetStatusEvent that is used will be the same.

    This is how to compile Flowplayer:
    http://flowplayer.org/documentation/...vironment.html

    Richard

  3. #3
    Join Date
    Aug 2011
    Posts
    10

    Default

    Hi rrlanham

    The Flash player have to be FlowPlayer, and in the flowplayer page the token could be placed on javascript code almost to test purposes.

    The flowplayer forum not answer my qustion, I appreciate your support.

  4. #4
    Join Date
    Dec 2007
    Posts
    28,369

    Default

    As far as I know, you have to compile a new SWF. Adding a token to javascript is not very secure, and I just don't know if or how that works. I think I tried it awhile ago and it didn't. You might want to hire a Flash developer to help. We have a list of independent consultants. Write to support@wowza.com if you want us to send that. Include a link to this thread.

    Richard

  5. #5

    Default

    Richard is correct, as usual

    Compiling plugins for flowplayer is not too bad; http://flowplayer.org/documentation/...vironment.html <- this guide is a good start.

    I had no problems compiling new securetoken plugins with the key embedded using the flex sdk on linux, just make sure you follow the guide closely, and make all the needed changes to build.properties and plugin-build.properties to match your env.

  6. #6

    Default

    Compiled without problem. Just follow guide and all will be fine.

  7. #7

    Default

    Hello,

    I changed the build.properties and plugin-build.properties and when I run ant I receive this error log:

    -------
    A:\Vejoaovivo\Instaladores\Compilar_player\flowplayer\flowplayer.core>ant
    Buildfile: A:\Vejoaovivo\Instaladores\Compilar_player\flowplayer\flowplayer.core
    \build.xml

    check-uptodate:
    [echo] main up-to-date: ${uptodate.main}
    [echo] main up-to-date: ${uptodate.commercial}
    [echo] lib up-to-date: ${uptodate.lib}

    build-lib:

    prepare:

    compile-lib:
    [exec] Error loading: C:\Program Files\Java\jdk1.7.0_01\jre\bin\server\jvm.
    dll

    BUILD FAILED
    A:\Vejoaovivo\Instaladores\Compilar_player\flowplayer\flowplayer.core\build.xml:
    235: The following error occurred while executing this line:
    A:\Vejoaovivo\Instaladores\Compilar_player\flowplayer\flowplayer.core\build.xml:
    241: exec returned: 6
    ---------

    The Path is set correctly and the file jvm.dll is there.
    In the build.xml the lines 233-256 are:

    ---------
    <target name="build-lib" description="builds the FlowPlayer library" depends="check-uptodate" unless="uptodate.lib">
    <antcall target="prepare"/>
    <antcall target="compile-lib"/>
    <copy file="${build-dir}/${library-binary}" tofile="${build-dir}/${library-binary-versioned}"/>
    <copy file="${build-dir}/${library-binary}" todir="${devkit-dir}"/>
    </target>

    <target name="compile-lib">
    <exec executable="${compc_bin}" failonerror="true">
    <arg line="-source-path ${src-as} ${src-as-commercial} ${classpath}"/>
    <arg line="-compute-digest=false"/>
    <arg line="-output '${build-dir}/${library-binary}'"/>
    <arg line="-namespace http://flowplayer.org/flowplayer/2008 ${basedir}/manifest.xml -include-namespaces http://flowplayer.org/flowplayer/2008"/>
    <arg line="-library-path ${libs-path} ${src-flash} "/>
    <arg line="-default-frame-rate=${framerate}"/>
    <arg line="-default-background-color=${bgcolor}"/>
    <arg line="-strict=true"/>
    <arg line="-incremental=true"/>
    <arg line="-define+=CONFIG::debug,'false'"/>
    <arg line="-define+=CONFIG::FLASH_10_1,'${flash.use.10.1}'"/>
    <arg line="-target-player '${flash.target.player}'"/>

    </exec>
    </target>
    -----------


    The build.properties is:


    ------------
    # you need to adjust following to point to your Flex SDK
    flex3dir=A:/Vejoaovivo/Instaladores/Compilar_player/flex_sdk_4.6

    # change following to point to .exe files when running on Windows
    mxmlc_bin= ${flex3bindir}/mxmlc.exe
    compc_bin= ${flex3bindir}/compc.exe
    asdoc_bin= ${flex3bindir}/asdoc.exe

    devkit-dir=../flowplayer.devkit
    plugins.dir=../

    site.dir=/Users/api/hyde/newsite
    js.deploy.dir=${site.dir}/deploy/js
    deploy.dir=${site.dir}/content/swf

    #plugin.buildfiles=
    #
    #plugin.buildfiles=controls/build.xml,viralvideos/build.xml,bitrateselect/build.xml
    plugin.buildfiles=controls/build.xml,pseudostreaming/build.xml,menu/build.xml,sharing/build.xml

    # all plugins
    allplugins.buildfiles=analytics/build.xml,audio/build.xml,bwcheck/build.xml,bwcheck/build-httpstreaming.xml \
    captions/build.xml,content/build.xml,controls/build.xml,controls/build-tube.xml,controls/build-air.xml,controls/build-skinless.xml, \
    f4m/build.xml,httpstreaming/build.xml,pseudostreaming/build.xml,rtmp/build.xml,securestreaming/build.xml, \
    sharing/build.xml,slowmotion/build.xml,smil/build.xml,viralvideos/build.xml,securedrm/build.xml, \
    bitrateselect/build.xml,menu/build.xml,cluster/build.xml,youtube/build.xml

    jsplugins.buildfiles=controls/trunk/build.xml,embed/trunk/build.xml,ipad/trunk/build.xml,playlist/trunk/build.xml,bitrateselect/trunk/build.xml

    cloudfront.version=3.3
    adsense.version=flowplayer.org-1.6.1

    # for plugins that can be built inside the player

    plugin-classes=0/src/actionscript ${plugins.dir}content/src/actionscript \
    ${plugins.dir}akamai/src/actionscript ${plugins.dir}rtmp/src/actionscript ${plugins.dir}pseudostreaming/src/actionscript \
    ${plugins.dir}audio/src/actionscript ${plugins.dir}bwcheck/src/actionscript ${plugins.dir}cluster/src/actionscript \
    ${plugins.dir}captions/src/actionscript ${plugins.dir}securestreaming/src/actionscript ${plugins.dir}smil/src/actionscript \
    ${plugins.dir}common/src/actionscript

    plugin-swc=../controls/src/flash ../content/src/flash ../viralvideos/src/flash ../pseudostreaming/lib

    controls-dir=../controls
    compiler.defines=

    # following can usually be left as they are
    flex3bindir=${flex3dir}/bin
    flex3libsdir=${flex3dir}/frameworks/libs
    flashplayer_bin=
    framerate=24
    bgcolor=0xFFFFFF
    width=500
    height=350

    # Flash Player targets
    flash.use.10.1=true
    flash.target.player=10.2.0
    #flash.use.10.1=false
    #flash.target.player=10.0.0

  8. #8

    Default

    Quote Originally Posted by rrlanham View Post
    As far as I know, you have to compile a new SWF. Adding a token to javascript is not very secure, and I just don't know if or how that works. I think I tried it awhile ago and it didn't. You might want to hire a Flash developer to help. We have a list of independent consultants. Write to support@wowza.com if you want us to send that. Include a link to this thread.

    Richard
    but how secure is using the swf? cant they just download and recomplie the swf?


    isnt that why there are vendors who are selling token systems that don't rely on the swf?

    i was told:

    Protecting a swf (hash internal) is not best case and there are a multitude of programs that can strip that data out. Instead you should take the approach that you do a secure call into the system to generate hotlinking so you do not have a hardcoded hash. Protecting the swf better then becomes obsolete if are doing an external call.
    so what is wowza position on this?

  9. #9
    Join Date
    Dec 2007
    Posts
    28,369

    Default

    We think that whatever you do for security will help. I think that there is no way to absolutely prevent and make impossible theft of content except by not distributing it. Charlie has made the point that one-off or custom security features, like what you mention, are very good even if they aren't that good, just because it is one more thing to deal with for the bad actor, and being unique or custom will take dedicated effort to defeat.

    SWF files can be decompiled by someone that knows that and has the tools to do it; then they can sift through the code to find your SecureToken so they can steal your content. That takes some effort and know-how. If you use an obfuscator, that becomes much more difficult, but still not impossible.

    Take a look at the Security Overview article:
    http://www.wowza.com/forums/content....urity-overview

    Richard

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •