Results 1 to 6 of 6

Thread: SecureToken - is there any way to force unique "login" authentication

  1. #1
    Join Date
    Mar 2014
    Posts
    5

    Default SecureToken - is there any way to force unique "login" authentication

    Hi,

    Sorry for my previous question - It was misunderstanding of secure token mechanics...

    I want to ask, if you have any proposition, how to build access restriction based on SecureToken v2 method of authentication. I want to authenticate my users with our own authentication backend and sign wowza stream addresses for them, but I want to be sure that they are not able to simultaneously access streams using the same credentials.

    Can I attach custom authentication data to signed url (for example wowzatokenusername=paluho) and later check on the wowza side if there is running session with given authentication parameter?
    Last edited by paluho; 09-07-2015 at 04:28 AM.

  2. #2

    Default

    Hi,

    There isn't any way to intercept the secure token workflow however, you could check the query params separately to see if they are already being used in another session. If someone tries to change your `wowzatokenusername` value manually then it would fail the secure token check anyway.

    Where you might have a problem is if the user refreshes the player page and restarts it with the same token values. This would create a new session before the old one times out. The normal secure token checks would pass but your username check would fail until the old session timed out and shut down.

    Part of the secure token check is the player ip address which must match for the player connection to your web page and for the player connection to the Wowza server. Given that most problems are with users sharing links, this catches most cases. If you need to have a more secure approach then you can use the APIs to create your own solution.

    Roger.

  3. #3
    Join Date
    Mar 2014
    Posts
    5

    Default

    Thanks a lot Roger for your answer!

    I've got additional question:

    Is it possible to create a module (or modules - probably separate modules for rtmp, http and rtsp), which when request arrives checks if there is any (http, rtsp or rtmp) other, running session in given VHost, which uses the same wowzatokenusername, and if it exists "kills" this matching session, so there will be only single session allowed with given wowzatokenusername per VHost?
    Last edited by paluho; 09-09-2015 at 02:12 AM. Reason: I've changed application to VHost, because this was my original intention - word "application" was a mistake.

  4. #4
    Join Date
    Jun 2012
    Posts
    724

    Default

    Hi,

    If the playback user is using the correct playback URL, with the correct security token, then his playback request will be authorized. However, you could restrict the secure token validity to the Client IP. This way, even if the unauthorized playback user is using the correct playback URL, his IP address won't match the one for which that particular secure token hash was generated.

    Zoran

  5. #5
    Join Date
    Mar 2014
    Posts
    5

    Default

    Quote Originally Posted by zoran_u View Post
    Hi,

    If the playback user is using the correct playback URL, with the correct security token, then his playback request will be authorized. However, you could restrict the secure token validity to the Client IP. This way, even if the unauthorized playback user is using the correct playback URL, his IP address won't match the one for which that particular secure token hash was generated.

    Zoran
    Thanks Zoran for your answer, but I wonder if there is any possibility to forbid simultaneous connections based on the same "login". I wonder if it is possible to implement given scenario:

    * our authentication backend checks user credentials and creates signed urls

    * let's suppose that user "paluh" had authenticated and our system generated urls for him (there is only one custom parameter for simplicity which contains user login):

    http://192.168.1.1:1935/vod/sample.m...Phhd0GxIcA2oo=

    * assume that user "paluh" is viewing stream using given adress but he has also given rtmp version of signed url to his friend Bob

    * now Bob is trying to access server using*(the same "login" value):

    rtmp://192.168.1.1:1935/vod/sample.mp4/playlist.m3u8?myTokenPrefixLogin=paluh&myTokenPrefixhash=TgJft5hsjKyC5Rem_EoUNP7xZvxbqVPhhd0GxIcA2oo =

    My question is:

    Is it possible to write such, a plugin which will search for every (all http and rtmp and rstp) session (within given VHost or Application) with "myTokenPrefixLogin=paluh" parameter and "kills" such sessions, before it will allow Bob to access the stream?
    Last edited by paluho; 10-21-2015 at 03:08 PM.

  6. #6
    Join Date
    Jun 2012
    Posts
    724

    Default

    Hello,

    Yes, you can develop a custom module to implement this workflow.
    Basically you can have the module retrieve the querystring, check it agains a database and if the check returns as expected, you can authotize that particular playback sesscion.

    In the "How to do user authentication for Flash RTMP client using JDBC connection to MySQL database" forum article you can find an example on how to do something similar.

    Zoran

Similar Threads

  1. Force an "#EXT-X-ENDLIST" on a DVR playlist
    By cmelendez in forum General Forum
    Replies: 2
    Last Post: 03-10-2014, 12:30 PM
  2. Replies: 1
    Last Post: 10-05-2012, 09:57 AM
  3. No FMLE login popup with RTMP authentication
    By rmosemann in forum Live Streaming and Encoder Discussion
    Replies: 6
    Last Post: 09-06-2012, 10:53 PM
  4. Is there any way to use live.html and hard-code the url and stream parameters?
    By bdirks in forum Live Streaming and Encoder Discussion
    Replies: 1
    Last Post: 03-07-2012, 09:04 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •