Results 1 to 3 of 3

Thread: Unified Security Approach

  1. #1

    Question Unified Security Approach

    I need to be 100% sure that any playback from wowza has been authorized. I
    added a module that authorized http streaming playback and then found
    that the stream could be played using rtsp. I then found the same type of
    hook for rtsp streams. Now I am finding rtmp is even more tricky.

    I need a security hook that gives me 100% assurance that nothing will be served
    unless authorized.

    Is there a hook that somebody can alert me to that would do this?
    The information I need is the file path of the stream being played and the IP of
    the requesting user.

    I am aware of how to insert a module and implemented the following methods
    to intercept stream playback, but a single authorization hook that was
    documented to show that all stream playback could be authorized is what
    I am looking for.

    public class CustomAuthorizationModule extends ModuleBase
    # http
    public void onHTTPSessionCreate(IHTTPStreamerSession httpSession)
    boolean isGood = true;
    String ipAddressClient = httpSession.getIpAddress();
    String queryStr = httpSession.getQueryStr();
    String streamName = httpSession.getStreamName();

    ... authorize
    if (!isGood)

    # rtsp
    public void onRTPSessionCreate(RTPSession rtpSession)
    ipAddress = rtpSession.getIp();
    uriStr = rtpSession.getUri();
    streamName = extractStreamName(uriStr); // Have to come up with streamName
    ... authorize
    if (!isGood)

    # rtmp
    public void onStreamCreate(IMediaStream stream)
    stream.addClientListener(new DmeStreamNotify());

    # rtmp
    class DmeStreamNotify implements IMediaStreamActionNotify
    public void onPlay(IMediaStream stream, String streamName, double playStart, double playLen, int playReset)
    if (alreadyAuthorized)
    // test if this play request is already authorizec
    getLogger().info(" stream.getName(): " + stream.getName());
    getLogger().info(" stream.getContextStr(): " + stream.getContextStr());
    getLogger().info(" stream.getQueryStr(): " + stream.getQueryStr());
    IClient client = stream.getClient();
    if (client != null)
    getLogger().info(" client.getUri()" + client.getIp());

    ... authorize

    if (!isGood)

  2. Default

    I may be stating some thing you have alredy dismissed so please excuse if i have.

    The built in "outgoing security" module that can be configured per Application should allow you to achieve this with out the need for additional custom modules.

    vHost > vod > Outgoing Security:

    • Protect all protocols using hash. (SecureToken version 2)

    Shared Secret:

    • Generate or use your own.

    Hash Algorithm:

    • Select SHA-256, 384 or 512 (Note: there is currently a bug when using 512 due to be fixed in the next releace.)
    • Make sure: Include client IP address in hash generation, is selected.

    Hash Query Parameter Prefix:

    • For extra security use a custom token name per application. (e.g. applicationNameToken)

    Client Restrictions:

    • Configure as required.

    Setting this per application will by default prevent any streams being played unless correctly authenticated.

    Please note that you will have to adjust your player setup to include the new security settings so that it's able to authenticate playback appropriatly.

    Hope this is of some help, if you have any questions or require any help setting this up please feel free to ask!
    Last edited by lee.wickham; 12-31-2014 at 07:30 PM. Reason: My lysdeic typing for ever lovingly known as "Lexi"

  3. #3


    Yah, neither solution suits us. One assumes you have a flash player (non starter). One assumes you know what IP addresses you should block.

    A unified security model layer is needed to implement protection across all forms of streaming output. This allows clients (me) to attach custom
    URL attributes that can be authenticated by my module before allowing any stream output.

    It would be best, that for any playback request there was a single hook that identified the stream resource trying to be played, url parameters, and IP address of the http request.

    Not one thing that supports flash players and another thing that simply looks at IP addresses.
    Even better would be that the modules that are performing playback recognize if the player is switching to a different stream resource, reports to
    the common hook, and requires the same authentication as the initial playback setup. I don't see how you can believe security is handled if it
    is not funneled through a single common latch point that is stream implementation independent.

    The flash player implementation documentation is not very reassuring that what they have implemented is not without serious design drawbacks.
    Last edited by meprospero; 06-02-2015 at 12:06 PM.

Similar Threads

  1. Verimatrix DRM on-the-fly approach
    By tvbhenrytam in forum AddOn: Wowza DRM
    Replies: 1
    Last Post: 04-18-2013, 02:08 AM
  2. Replies: 7
    Last Post: 04-02-2013, 08:31 AM
  3. Replies: 1
    Last Post: 03-04-2013, 09:55 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts