Wowza Community

Unified Security Approach

I need to be 100% sure that any playback from wowza has been authorized. I

added a module that authorized http streaming playback and then found

that the stream could be played using rtsp. I then found the same type of

hook for rtsp streams. Now I am finding rtmp is even more tricky.

I need a security hook that gives me 100% assurance that nothing will be served

unless authorized.

Is there a hook that somebody can alert me to that would do this?

The information I need is the file path of the stream being played and the IP of

the requesting user.

I am aware of how to insert a module and implemented the following methods

to intercept stream playback, but a single authorization hook that was

documented to show that all stream playback could be authorized is what

I am looking for.

public class CustomAuthorizationModule extends ModuleBase

{

http

public void onHTTPSessionCreate(IHTTPStreamerSession httpSession)

{

boolean isGood = true;

String ipAddressClient = httpSession.getIpAddress();

String queryStr = httpSession.getQueryStr();

String streamName = httpSession.getStreamName();

… authorize

if (!isGood)

{

httpSession.rejectSession();

}

}

}

rtsp

public void onRTPSessionCreate(RTPSession rtpSession)

{

ipAddress = rtpSession.getIp();

uriStr = rtpSession.getUri();

streamName = extractStreamName(uriStr); // Have to come up with streamName

… authorize

if (!isGood)

{

httpSession.rejectSession();

}

}

}

rtmp

public void onStreamCreate(IMediaStream stream)

{

stream.addClientListener(new DmeStreamNotify());

}

rtmp

class DmeStreamNotify implements IMediaStreamActionNotify

{

@Override

public void onPlay(IMediaStream stream, String streamName, double playStart, double playLen, int playReset)

{

if (alreadyAuthorized)

{

// test if this play request is already authorizec

}

else

{

getLogger().info(“DmeStreamNotify.play()”);

getLogger().info("DmeStreamNotify.play() stream.getName(): " + stream.getName());

getLogger().info("DmeStreamNotify.play() stream.getContextStr(): " + stream.getContextStr());

getLogger().info("DmeStreamNotify.play() stream.getQueryStr(): " + stream.getQueryStr());

IClient client = stream.getClient();

if (client != null)

{

getLogger().info(“DmeStreamNotify.play() client.getUri()” + client.getIp());

}

… authorize

if (!isGood)

{

client.shutdownClient();

}

}

}

}

I may be stating some thing you have alredy dismissed so please excuse if i have.

The built in “outgoing security” module that can be configured per Application should allow you to achieve this with out the need for additional custom modules.

Example:

vHost > vod > Outgoing Security:

SecureToken

- Protect all protocols using hash. (SecureToken version 2)

Shared Secret:

- Generate or use your own.

Hash Algorithm:

- Select SHA-256, 384 or 512 (Note: there is currently a bug when using 512 due to be fixed in the next releace.)- Make sure: Include client IP address in hash generation, is selected.

Hash Query Parameter Prefix:

- For extra security use a custom token name per application. (e.g. applicationNameToken)

Client Restrictions:

- Configure as required.

Setting this per application will by default prevent any streams being played unless correctly authenticated.

Please note that you will have to adjust your player setup to include the new security settings so that it’s able to authenticate playback appropriatly.

- Instructions on how to do this can be found here: How to protect streaming using SecureToken.- Information on the SHA-512 Bug can be found in my thread here: Running in to an Anomoly: Securing Streams using SecureToken (you can also see how to go about setting up the secured playback in this thread as well.)

Hope this is of some help, if you have any questions or require any help setting this up please feel free to ask!

Yah, neither solution suits us. One assumes you have a flash player (non starter). One assumes you know what IP addresses you should block.

A unified security model layer is needed to implement protection across all forms of streaming output. This allows clients (me) to attach custom

URL attributes that can be authenticated by my module before allowing any stream output.

It would be best, that for any playback request there was a single hook that identified the stream resource trying to be played, url parameters, and IP address of the http request.

Not one thing that supports flash players and another thing that simply looks at IP addresses.

Even better would be that the modules that are performing playback recognize if the player is switching to a different stream resource, reports to

the common hook, and requires the same authentication as the initial playback setup. I don’t see how you can believe security is handled if it

is not funneled through a single common latch point that is stream implementation independent.

The flash player implementation documentation is not very reassuring that what they have implemented is not without serious design drawbacks.