Red5 Security Tutorial

Question

I am looking for a step by step tutorial on securing Red5 from intrusion. This seems to be a question that comes up alot in a google search, but is never really answered in a way that makes sense to your average flash developer.

Answer 1

I have been looking for a definite answer to this as well. I wouldn't want anyone on the net to connect to oflaDemo and start streaming to my box.

I'm thinking its something that will have to be configured via firewall to drop incoming traffic to port 1935 from the outside world.

Answer 2

You cannot secure the backend from the client side, OflaDemo is a demo app, not a production one. By default, Red5 disallows global connections, so if you only run your own application, you can implement whatever kind of security you wish.

No, it is actually not needed (and not useful) to try to manage security only on firewall level. The API permits restricting user access to the various kinds of usage of red5.

Regards, snolde

Answer 3

You can secure red5 for Publishing, Playback, or SharedObjects using the security framework. The client does not matter in this case, but if you want to secure oflaDemo for instance you will need to add the security hooks on the backend. Here is the tutorial that you need: http://www.red5.org/wiki/Documentation/UsersReferenceManual/Red5CoreTechnologies/04-Security
A more in-depth security tutorial is here: http://wiki.red5.org/wiki/Documentation/Tutorials/Red5AndAcegiSecurity
A simple example to block playback is as follows:

public class PlaybackSecurity implements IStreamPlaybackSecurity {
    @Override
    public boolean isPlaybackAllowed(IScope scope, String name, int start, int length, boolean flushPlaylist) {
        //start out denied
        boolean allowed = false;
        //get the current connection
        IConnection conn = Red5.getConnectionLocal();
        //token to use for auth
        Long token = -1L;
        if (conn.hasAttribute("token")) {
            //get a 'token' we stored on their connection from elsewhere
            token = conn.getLongAttribute("token");
            //validate the token in some way
            if (token > 0L) {
                allowed = true;
            }
        }
        //return allowed or denied state
        return allowed;
    }
}

The security class should be added when your application starts, so I suggest that you put it in your application adapters "appStart" method like so:

    @Override
    public boolean appStart(final IScope app) {
        //register our stream security classes
    registerStreamPlaybackSecurity(new PlaybackSecurity(applicationContext));
        //pass control back to super
        return super.appStart(app);
    }