Skip to main content
A
Anonymous
November 19, 2010
Question

FMS administration api security

  • November 19, 2010
  • 2 replies
  • 2820 views

hi

I bet this question has been posted earlier also , but i couldnt find it googling. The method used in FMS admin administration reference to access the admin api is like so:

http://www.example.com:1111/admin/getLiveStreamStats?auser=username&apswd=password

&appInst=name&stream=name 

but isn't this unsafe ? i mean any one can see the password this way ??

    This topic has been closed for replies.

    2 replies

    A
    Anonymous
    November 19, 2010

    Few ways to get over this would be to use Server.xml configurations on FMS to allow admin requests only from a trusted domain or a client (IP address) and disallow any other connect requests.

    And using rtmpe to connect to admin server would also be safe since its encrypted.

    Regards

    Mamata

    A
    Anonymous
    November 19, 2010

    I think the OP was wondering about exposing the username and password on the client side. If the question was actually about man-in-the-middle attacks sniffing out the credentials when making a server to server request, please correct me.

    Regardless of the method being used to make the request of the admin service, never expose the admin service credentials to a client side application, unless that application is only accessible to authorized users who should have access to the FMS admin service. If you provide those credentials (via hard code or via service request) to a client side application that is accessible to the public or otherwise unauthorized admin service users, you immediately compromise your server security.

    A
    Anonymous
    November 19, 2010

    "wondering about exposing the username and password on the client side" - This is what i meant. You see its very easy to use firebug in mozilla firefox to fish out http requests. And then you can clearly see admin username and password in the get request.

    A
    Anonymous
    November 19, 2010

    That's why we don't expose admin service requests to the public. Do it from the server side.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices