Create an authorization scheme for Adobe Media Server (and others) than can be used to secure access to streaming media.
Append a dynamic stream token to the end of the media URL that is passed to the media server. The media server then passes the token back to Avalon, which confirms or denies the validity of the request.
Given the RTMP Media URL:
The Flash player does the following:
- Connect to the application URL
- Request the stream
/avalonapplication on the server-side can handle Step 1 in an
onConnect()handler, but does not provide a mechanism for handling Step 2, where the stream itself would have to be authenticated.
onConnect()handler can override the client's access control list before any streams are requested. The strategy, therefore, is for Adobe Media Server to pass
dynamic_stream_tokenback to Avalon via a REST call. Avalon responds either with a
403 Unauthorizederror, or with the
mediapackage_idthat the token is valid for. By then limiting client access to
/mediapackage_id/*, the application ensures that the token can only be used to access the stream(s) it's authorized for.
HTTP Live Streaming
Given the HTTP Live Streaming Media URL:
The Adobe Media Server isn't directly involved in serving HLS streams; they're handled directly by Apache and the HLS modules. Instead of an
onConnect() callback, we use Apache's
mod_rewrite to intercept the request, pipe it to a running shell script that does the Avalon callback, and determines whether to allow the request to pass.
.m3u8 file is just a playlist full of
.ts "chunks." By securing the
.m3u8 request, we establish some measure of security, but there's nothing preventing a user from saving the .m3u8 file and loading it again later. Securing the .ts files with tokens is possible, but may foil Apache's caching, resulting in tremendous performance degradation.