Wowza Community

MediaSecurity AddOn Package (SecureToken, RTMP & RTSP Authentication and more)

That doesn’t add up. Did you restart Wowza? To see application level changes right away during testing, you should restart Wowza.


Try removing ModuleSecureURLParams, restart Wowza, and see if it works without security.


Do you see any errors in the access log regarding ModuleRTMPAuthenticate

Try making ModuleRTMPAuthenticate last in the Module list.

Did you copy the security jar to the instance from the package? You don’t actually have to do that, it is already there, and is possible that caused problems. Look at the files in the lib folder.


I think it’s a problem to copy the security jar from the package to EC2 instance. You might have to start a new instance. I’m not sure.


Try this one more time. Start Wowza in stand alone mode, using putty /bin/

Then try to publish to the application where you installed ModuleRTMPAuthenticate.

Make sure you are publishing to the same application. Make sure that the Application.xml you have configured is located here:


Where [appName] is same application you are publishing to in Wirecast.

When you publish in Wirecast, look at the console output in Putty, are they any errros regarding ModuleRTMPAuthenticate?

Note that if you have that module in the right Application.xml, you should either see it doing something, or Wowza will complain that you have referenced a Module that does not exist… something should happen. Try to debug this.

If you still cannot get it to work, zip up the entire /conf and /logs folder, take screen shots of all the wirecast screens, and post on your web server and send a link to download that to Please include a link to this thread


I got it to work. Like this:

ffmpeg -i sample.mp4 -strict experimental -acodec aac -ab 64k -s 720x406 -vcodec libx264 -vpre default -vpre ipod640 -g 90 -b 768k -threads 64 -f flv rtmp://localhost:1935/live?doPublish=123/myStream

Using ModuleSecureURLParams and secureurlparams.publish property.

The trick is place the querystring after the application name.


I updated the example with one that works much better.


I think this depends on the SSL certificate you setup to support RTMPS.

Using RTMPE is much easier, it does not require a certificate, you just use it.


ModuleRTMPAuthenticate will an encoder like FMLE or Wirecast to provider username/password to connect. It just works with certain encoders.

If you using a Flash app to publish, you can use ModuleOnConnectAuthenticate.

See this post for using a database as lookup:

But to meet your a.b.c.d. criteria, you would have to use override publish command. You could use querystring on stream name to pass username and password.



With RTMPE the stream is encrypted.


First, using SecureURLParams you will not see an authentication challenge in any encoder, it will just fail if the querystring is not correct.

With doPublish set, the encoder can connect but it should not be able to publish. With RTMP live encoders connecting and publishing are distinct. Try this instead:


If publishing with ffpmeg


In FMLE add the querystring to the FMS URL: rtmp://[wowza-address]:1935/live?doConnect=12345


Hi Khan,

Take a look at this JDBC example, which also uses onConnect()

Note that with the onConnect parameter set you will also have to add that querystring to RTMP playback clients so they are allowed to connect. You can revert to using doPublish param, but understand that the publishing client will be able to connect to the server but will not be able to publish.


Also, I don’t think there is an Wowza API to add lines to the publish.password file but it’s plain text file so you can use Java in application module, or more likely an HTTPProvider to integrate with your PHP script.


Using Secure Token with Wowza Media Server Pro 1.7.2

Hey Charlie or Richard,

For working with Wowza 1.7.2 and using secure token for on-demand content is this what the Application.xml should look like:








Also, if I did not add the Secure Connection property would it require just the rtmp:// protocol (and not rtmpe) along with the secure token on the client side?



When using RTMP authentication with either FMLE or Wirecast how do I prevent users that can authenticate from Publishing Live Streams to other applications.

I might want User1 to Authenticate and publish a live stream to:


but I don’t want User1 to be able to publish to:

rtmp://ipaddress/live8 (I want this to be reserved for only User2.)

If this is not possible with RTMP authentication is there a better approach?



Thanks a million Ale! That worked great!



I went to install WMS with SecureToken to use with RTMPE (for VOD).

I use FlowPlayer compiled with my token and it’s work fine.

But in the html source it’s easy to see the url of the file. They can’t donwload it and noboby can view my videos without this player player. But if someone grab the swf file of the player and put it on line, i can view the video.

So is it possible to allow acces to the flux, only if the player is running from my website ? Or maybe this is an available option in the flowplayer ?



Put the properties this way:



And put one file called, “publish.password” into each Application folder, this way each Application has your own allow list.



A pleasure!!! BTW, is possible use this same instruction for ApplicationInstance level.

The correct properties is:




You can protect the SWF as well. There are some docs here on the forum and Ithink a link to the particular thread is in the MediaSecurity packages docs.

Basically it’s a ‘stub’ SWF file that is loaded from the webserver which then loads the secure SWF file from the Wowza server. That prevents anyone from ‘stealing’ your player to playback content using your secure token. (since your actual player is loaded from another SWF from the wowza server as a stream and not from a webserver as a file)