I am looking for a step by step tutorial on securing Red5 from intrusion. This seems to be a question that comes up alot in a google search, but is never really answered in a way that makes sense to your average flash developer.
I have been looking for a definite answer to this as well. I wouldn't want anyone on the net to connect to oflaDemo and start streaming to my box.
I'm thinking its something that will have to be configured via firewall to drop incoming traffic to port 1935 from the outside world.
You cannot secure the backend from the client side, OflaDemo is a demo app, not a production one. By default, Red5 disallows global connections, so if you only run your own application, you can implement whatever kind of security you wish.
No, it is actually not needed (and not useful) to try to manage security only on firewall level. The API permits restricting user access to the various kinds of usage of red5.
Regards, snolde
You can secure red5 for Publishing, Playback, or SharedObjects using the security framework. The client does not matter in this case, but if you want to secure oflaDemo for instance you will need to add the security hooks on the backend. Here is the tutorial that you need:
http://www.red5.org/wiki/Documentation/UsersReferenceManual/Red5CoreTechnologies/04-Security
A more in-depth security tutorial is here:
http://wiki.red5.org/wiki/Documentation/Tutorials/Red5AndAcegiSecurity
A simple example to block playback is as follows:
The security class should be added when your application starts, so I suggest that you put it in your application adapters "appStart" method like so:
public class PlaybackSecurity implements IStreamPlaybackSecurity {
@Override
public boolean isPlaybackAllowed(IScope scope, String name, int start, int length, boolean flushPlaylist) {
//start out denied
boolean allowed = false;
//get the current connection
IConnection conn = Red5.getConnectionLocal();
//token to use for auth
Long token = -1L;
if (conn.hasAttribute("token")) {
//get a 'token' we stored on their connection from elsewhere
token = conn.getLongAttribute("token");
//validate the token in some way
if (token > 0L) {
allowed = true;
}
}
//return allowed or denied state
return allowed;
}
}
@Override
public boolean appStart(final IScope app) {
//register our stream security classes
registerStreamPlaybackSecurity(new PlaybackSecurity(applicationContext));
//pass control back to super
return super.appStart(app);
}