Wowza Community

Conditionally invoke ModuleCoreSecurity (url token playback protection)

I have a use case where a certain published URL that is used to access any stream from an application, should be protected with playback security (url token/hashing) while other should just pass though.

I copied an Application that had working Playback Security on it, and removed the shared secret property from that. I also enabled a very simple custom module which defines an onConnect method. I am able to use client.getUri to obtain the published URL I am looking for, but I am wondering what the best approach would be to using the built in URL hashing module.

I noticed that when enabling the Token Hashing Playback Security, the property that seems to be required for default protection to initiate, seems to be ‘securitySecureTokenSharedSecret’. My plan was to use this as a swtich to enable/disable ModuleCoreSecurity from performing the hash check on a stream in a custom onConnect module method.


if: URL == SpecificValue, then toggle the securitySecureTokenSharedSecret property so that ModuleCoreSecurity can use that to hash the url and accept/reject (making sure this value only persists per connection would also be important)

else: All others would not be subject to a url hashing check.

Would I be better of trying to create a new invocation of the ModuleCoreSecurity, initiating it with all the properties and attempting to invoke the same calls that the built in product would use? Can this approach be truly handled by only an onConnect method, or do I need to perform some actions at the appStart as well?


It would be a fairly difficult process to selectively apply secure token to specific requests on an application without a lot of work. The simplest option (and what we would recommend) would be to use a separate application or appInstance for the unauthenticated streams. On this one, secure token is disabled while on the other one, it is enabled.

It would be fairly straightforward to test if the player is connecting to the correct appInstance and reject (or redirect) it if not.