Authentication Add-In Allows Old User Agents without Authentication

Report · Jan 11, 2010

I have installed AdobeFlash Media Development Server (as a test for Interactive Server 3.5) and the Authentication Add-In v3. It works great with Flash Media Encoder 3 (FMLE/3.0), but if I specify a different user agent (FME/2.5 or FM/1.0) using an older version of the encoder or another brand encoder that supports multiple user agents (eg. Wirecast) the authentication is completely ignored.

Is there a way to restrict Adobe Flash Media Interactive Server to accepting uploads from user agent FMLE/3.0 only (or cause it to respect credentials from older user agents . . . if they even send credentials)?

Thanks!

Dan

Report · Jan 12, 2010

Since you're using interactive server, you could manage it with client side actionscript (which is a whole lot more flexible than the auth addin). In your application.onConnect or application.onPublish methods you can inspect the client.agent property, as well as perform inspection of credentials (I'm a big fan of tacking get variables onto the end of the RTMP URL and extracting them by inspecting the client.uri property).

Perhaps it might make sense to look at it from the other direction. Why is it that you want to restrict publishing to FMLE 3 clients?

In Response To Deleted User · Jan 14, 2010

The final goal is not to restrict to FMLE 3.0 but rather to have the server require credentials to upload video. Even with the authentication module in place I am able to bypass credentials if I use an older encorder User Agent. Only FMLE 3.0 respects the login. Does not seem too secure.

Having said all of that, the end server product my customer purchased is actually the Streaming server, so the authentication plugin is out anyhow. Are there any options to require credentials to upload video to the FMSS?

Thanks!

In Response To dd35 · Jan 14, 2010

Unfortunately this is a known issue for FMSS that we're actively engaged on fixing. At the moment the only way to restrict the publisher for FMSS is to control the IPs accepted to a publishing application through configuration. Like I said, it's a known issue and only the FMIS can do this for the moment.

In Response To dd35 · Jan 14, 2010

Given Asa's comment on FMSS (thanks FMS engineering team for addressing that one), I'm wondering if in your production environment you're always going to use FMLE as the publishing client. If in the future you decide to use a third party encoder that doesn't play nice with the auth addin, you're going to be stuck.

In that case, I'd seriously consider going with interactive server. What I like to do for authenticating publishers is to require credentials as GET variables on the RTMP URL, and then inspect the client.uri property to pick them out and validate them. That way, you can give any encoder (other than old versions of FMLE that don't allow get vars... go figure) a URL like

rtmp://myserver.com/app/instance/?password=12345

and FMIS can authenticate the user through server side actionscript. This authentication can happen in the application.onPublish handler, so you can wait to authenticate until the client starts publishing something (in case subscribers are connecting to the same app).