Wowza Community

MediaSecurity AddOn Package (SecureToken, RTMP & RTSP Authentication and more)

Hi guys,

I’m starting out with the setup of security on Wowza EC2 and I have a little problem. Following the guide in this Addon, I added the Application.xml into the now /conf/ dir and added the module to the end (before the closing tag of course):


but I can still see the sample video using rtmp://mypublicip/vod. Is there something else to touch?

Thanks in advance and sorry for the newbie question :o


Do you see any errors in the access log regarding ModuleRTMPAuthenticate

Try making ModuleRTMPAuthenticate last in the Module list.

Did you copy the security jar to the instance from the package? You don’t actually have to do that, it is already there, and is possible that caused problems. Look at the files in the lib folder.


Hi Richard, thanks for your answer.

I found several lines about ModuleRTMPAuthenticate:

19/08/2010 14:39:54 EDT comment server INFO 200 - ModuleRTMPAuthenticate.onAppStart: SecureToken is off - - - 6.616.993 - - - - - - - - - - - - - - - - - - - - - - - - -

19/08/2010 14:39:54 EDT comment server INFO 200 - ModuleRTMPAuthenticate.onAppStart: Authorization password file: /usr/local/WowzaMediaServer/conf/publish.password - - - 6.616.994 - - - - - - - - - - - - - - - - - - - - - - - - -

I’ve uploaded the two .jar files from the zip lib folder (one of them was one byte bigger than the one in the AMI) and moved to module to the very last of the list, but I can still upload without authenticating. Also, the access log doesn’t show these lines about ModuleRTMPAuthenticate anymore.

BTW what is the difference between normal and digest authentication? I tried both again without success but I don’t know what those are.

Thanks again.

Richard, I just moved the jar files… for the last test. I was originally working with the AMI jar files so both of them are tested with the same result.

This is getting weirder by the minute. I just tried (I know it doesn’t help but I tried it anyways) to live stream from Wirecast using the address rtmpe://[server-public-dns]/live and it says that it can’t find the host. Also tried with :1935 after the public DNS and got the same result.

My firewall has the port 1935 open, the AMI security group has port 1935 open and VHost.xml shows port 1935 open too… can this be part of the problem? Why can’t I see my server using RTMPE?

if I try normal rtmp streaming from Wirecast, the server still allows it like before without any kind of security.

Incredible… I shut down the WMS server and start it up again in standalone mode and now it works… amazing.

Thanks Richard :wink:

Can somebody give me information about how many bits has key used in RTMPS?



We’re very new to Wowza, but have been thru the docs and forums several times looking for clues. Excited at the possibilities here.

We’re trying to develop a custom authentication module for authenticating publishers (those sending a live stream TO Wowza) thru a mechanism other than a flat file (likely MySQL if that’s material to the discussion). We’re using ModuleRTMPAuthenticate as a starting point, but there are a few things I need to understand before we can continue.

When a publisher initiates her live stream (sending to wowza), I would think I’d need several things in one place to determine whether or not she is okay to stream:

(a) Application [instance]

(b) Stream Name

© User

(d) Password

I can’t seem to get these items all in one place. Further, I don’t seem to understand exactly how the authentication (or connection) mechanisms work here - specifically in what order they fire and what pieces of the above items are available at what point in the lifecycle.

Would love a little guidance here, or a dope slap [hopefully with a link :)] if we’ve missed something huge…if anyone has been down this road.




Thanks so much for the quick reply. In fact, in my haste I thought I had overridden publish but had the wrong signature of onPublish. Problem solved. I have nearly everything I need in one place.

We are in fact using Wirecast at this time for testing, but your point is certainly taken, as ModuleRTMPAuthenticate only works with a subset of encoders.

So we’ll likely just override publish as you indicated, and use querystring data to pass the credentials. Which brings me to a question:

Can one encrypt the publish side of things while allowing the view side to be un-encrypted? I have seen RTMPE being suggested by you and Charlie over RTMPS, so perhaps we’ll try that road next. I’m not certain if the URI is encrypted with RTMPE, or if we’d need to encrypt the qs there as well…easy enough if needed.

Thanks again for your great help here!


Hello, I have wowza serverr 2.2.3 and I am trying to secure my server by putting some type of authentication. I used This article but the connection is not even asking for username and password. it just connects to the server.

I tried putting different numbers instead of 12345 like 9999999 and it still connects to the server.


		<!-- Uncomment to set application level timeout values
			StorageDir path variables
			${com.wowza.wms.AppHome} - Application home directory
			${com.wowza.wms.ConfigHome} - Configuration home directory
			${com.wowza.wms.context.VHost} - Virtual host name
			${com.wowza.wms.context.VHostConfigHome} - Virtual host config directory
			${com.wowza.wms.context.Application} - Application name
			${com.wowza.wms.context.ApplicationInstance} - Application instance name
			<!-- LiveStreamPacketizers (separate with commas): cupertinostreamingpacketizer, smoothstreamingpacketizer, sanjosestreamingpacketizer, cupertinostreamingrepeater, smoothstreamingrepeater, sanjosestreamingrepeater -->
			<!-- Properties defined here will override any properties defined in conf/Streams.xml for any streams types loaded by this application -->
		<!-- HTTPStreamers (separate with commas): cupertinostreaming, smoothstreaming, sanjosestreaming -->
			<!-- RTP/Authentication/[type]Methods defined in Authentication.xml. Default setup includes; none, basic, digest -->
			<!-- RTP/AVSyncMethod. Valid values are: senderreport, systemclock, rtptimecode -->
			<!-- Properties defined here will override any properties defined in conf/RTP.xml for any depacketizers loaded by this application -->
			<!-- Properties defined here will override any properties defined in conf/MediaCasters.xml for any MediaCasters loaded by this applications -->
			<!-- Properties defined here will override any properties defined in conf/MediaReaders.xml for any MediaReaders loaded by this applications -->
			<!-- Properties defined here will override any properties defined in conf/MediaWriter.xml for any MediaWriter loaded by this applications -->
			<!-- Properties defined here will override any properties defined in conf/LiveStreamPacketizers.xml for any LiveStreamPacketizers loaded by this applications -->
			<!-- Properties defined here will override any properties defined in conf/HTTPStreamers.xml for any HTTPStreamer loaded by this applications -->
				<Description>Client Logging</Description>
		<!-- Properties defined here will be added to the IApplication.getProperties() and IApplicationInstance.getProperties() collections -->

Thank you for replying Richard, the method you gave me doConnect worked great.

Also, I am trying to have a randomly generated rtmp url something like: rtmp://localhost/live?randomuser&randompass

what i am trying to do is when i add somebody into my user database through a phpscript the script creates a randomly generated username and password for them and i want the same randomly generated user and pass added to a file in my wowza like new credentials that could be added as a new line in the publish.password file.

that is what i am trying to accomplish here, what do you think i can do here?