Story indicates the needs for 3 types of group: public, authenticated and staff. There will be content viewable by anyone, or by authenticated users only, or by staff only.
Avalon generates a token and attaches it to the video URL.
Streaming server calls back to Avalon to verify authenticity of token and validity for requested stream.
Token/Callback Authentication Details
Calculate an MD5 signature based on the required expiration time, the path of the link, and a secret key of your account.
Attach signature to video URL.
If signature in URL request matches signature calculated on server then proceed with the streaming.
RTMPS over secure SSL connection. Natively supported in Red5.
RTMPE vulnerable to Man in the middle attacks. Programs like
rtmpdump can still record
See Red5 authentication
Features supported on FlashPlayer 10.1 and newer
There is a Hydra ticket for future implementation of CanCan - a great authorization lib for Rails.
Hydra ND Video Head seems to have used it.
What happens when someone wants to embed a video with restricted access on a 3rd party website (ie professorX.com)? We need to enable auth in embedded player.
Host an swf file on IU server, a script on professorX.com fetches the swf and uses it to read IU auth cookies.
If user has previously logged in, cookie is there, access should be granted. If not, open an IU pop-up, ask user to login.
Previous method may not run on iOS. Youtube has moved to use iframe to embed videos.
If we embed the player as an iframe, the iframe can read cookie from IU, with the exception of Safari, for which a workaround exists