Authentication User Guide for: Flash Video Windows Media HTTP Delivery

877.THE.PNAP (877.843.7627) internap.com

©2008 Internap Network Serv ices Corporation. All rights reserv ed.

Authentication User Guide for: Flash Video Windows Media HTTP Delivery

December 2009

2

[Authentication User Guide]

2

Table of Contents

Contents Table of Contents ......................................................................................................................... 2

Conventions Used in This Document .............................................................................................. 3

Introducing Authentication .............................................................................................................. 4

Integrating Into Your Enterprise ...................................................................................................... 4

Authentication Using Tokens .......................................................................................................... 5

Issuing A Unique Token.................................................................................................................. 5

Embedding the Unique Token for Windows Media .......................................................................... 7

Embedding the Unique Token for HTTP Delivery (example shows Windows Media) ....................... 8

Creating a Validation Service........................................................................................................ 10

3


3

Conventions Used in This Document

Adobe Flash Media Server (FMS): http://www.adobe.com/products/flashmediaserver/ Content Delivery Network (CDN): http://www.internapcdn.com Internap Streaming Service for Flash: Internap’s on demand and live streaming service for Flash based on Flash Media Server. http://www.internap.com/cdn-services/deliver/adobe-flash/ Real Time Messaging Protocol (RTMP): This is the protocol that Flash Media Server (FMS) uses by default. For example the string you use to connect to a FMS for an On Demand object would look similar to this: “rtmp://cdn.yourdomain.com/internapAccount/_definst_”. A Live object would be configured as: “rtmp://cdn.yourdomain.com/internapAccount/live_1” or “rtmp://cdn.yourdomain.com/internapAccount/live_adaptive_1”. RTMP and HTTP are separate methods that provide the same functionality, but not the same performance, so the use of RTMP is recommended. Referrer: This is the html page holding the Windows Media control or Flash SWF object. SourceURL: This is the actual location of the Windows Media or Flash file described by the Windows Media Control/Flash SWF object in the Referrer. SOAP: SOAP defines an RPC mechanism that uses XML documents for the encoding of invocation requests and responses for client-server interaction across a network by HTTP as the base transport. http://msdn.microsoft.com/en-us/library/ms995800.aspx

Token: A unique text string issued by the web site that will be used to prove that a requesting party is allowed to access content. For optimum security the tokens should not be easy to predict and should expire quickly. Web Service: Broadly defined, a Web service is a method to make various applications communicate with each other automatically over the Internet. With regards to this service we narrow the distinction down to SOAP based web services over HTTP and XML http://www.w3schools.com/webservices/ws_intro.asp

Web Service Definition Language (WSDL): WSDL is an XML format for describing network services as a set of endpoints operating on messages containing either document-oriented or procedure-oriented information. http://www.w3.org/TR/wsdl

http://www.adobe.com/products/flashmediaserver/

http://www.internapcdn.com/

http://www.internap.com/cdn-services/deliver/adobe-flash/

http://msdn.microsoft.com/en-us/library/ms995800.aspx

http://www.w3schools.com/webservices/ws_intro.asp

http://www.w3.org/TR/wsdl

4


4

Introducing Authentication

Authentication schemes can be designed by content owners that are compatible with Internap's streaming service. Custom authentication schemes can be applied that can control who is allowed to access your video streams. When end-user connections are made to Internap, the server will check with a remote web service located at the customer's site. Depending on the value returned from the web service the Internap CDN will accept or reject the connection. There are several scenarios where this authentication capability is useful. Websites can prevent other rogue websites from linking to their videos. Content owners can prevent users from passing around http links, thus forcing them to login with a username and password. It is also possible to authenticate via the client IP address, a token, Internap Account name or Referrer information as well as the SourceURL. This web service call is made in real time. A token, IP address, Internap Account name, Referrer and SourceURL are passed to the web service (referrer authentication is available for both Windows Media and Flash implementations). The web service may use any combination of these attributes to accept or reject the connection. The authentication method involving a token requires the website to pass a unique token with the media request. This token is then passed to the Web Service for authentication. This unique token should be a session ID or some sort of hashed data that is not predictable. Important note regarding Flash Authentication procedures. In order to effectively secure the content, the referrer parameter should be accompanied by the SourceURL, and both the SWF object and the .FLV file should be authenticated separately. The SWF object is presented through http and both the referrer and SourceURL parameters must be authenticated through http. Due to a requirement of the http authentication model, a token must be included and verified along with the referrer and SourceURL parameters. An important note regarding Windows Media Authentication procedures. Microsoft did not include this functionality in the original release of Windows Media Player 10 (or prior versions). A Microsoft hotfix is available which may enable the capability in most situations, but an upgrade to Windows Media Player11 is recommended. On Demand and Live will function very similarly to unauthenticated streaming. The MediaConsole web-based interface has new options to make streams “secure”. Streaming both authenticated and non-authenticated content can be performed with a single Internap account. Integrating Into Your Enterprise

Describing the integration process at the highest level, there are two important procedures that need to take place. First, you must implement a web service that is compatible with Internap’s SOAP format. Second, you must specify the URL of your web service within the MediaConsole GUI. This section will go into detail on the first procedure.

5


5

Authentication Using Tokens The website incorporating Authentication will need to have a mechanism to generate tokens. These tokens need to be passed dynamically to the embed code where the media player resides, using ASP, PHP, Javascript or similar technology. Once the token is generated and issued it needs to be tracked in some type of database. Internap's servers will check with the customer's database before allowing connections to stream. This check is made using a SOAP web service. Issuing A Unique Token

The website could generate a unique token the first time a new remote browser requests a page, or a new token could be generated on every single page request. If the token was generated during the first page visit a state-based mechanism such as ASP session variables could be used keep the token throughout a multitude of web page visits. If the website is a paid subscription-based website it may make sense to only issue a token on login. If the website is attempting to prevent rogue websites from stealing streams then “one-time” tokens generated on each page would be appropriate. Tokens are an alpha-numeric string that can uniquely identify an individual. A drivers license number and phone number are examples of unique numbers that can be used to identify a specific person. However, these examples fail to meet the needs of internet authentication due to the fact that you could easily impersonate somebody else if you know their license number. Tokens need to be unpredictable and resistant to brute force attack. Some good examples of generating unique tokens include:

Microsoft GUID numbers or other algorithms based on UUID

MD5 hashes of usernames, passwords and the current time

Random Number Generator Tokens should be set to expire frequently to prevent individuals from passing around tokens. Cleaning tokens will also save resources on the database used to store them. EMBEDDING THE UNIQUE TOKEN FOR FLASH VIDEO

The unique token needs to be passed along in the embed code for the media player. The sample below is used to embed unauthenticated Flash video into a website using HTML.

6


6





<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"

codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version

=7,0,0,0" width="640" height="480" id="FLVPlayer">

<param name="movie" value="http://http.vitalstreamcdn.com/flashskins/FLVPlayer.swf"

/>

<param name="align" value="" />

<param name="salign" value="LT" />

<param name="quality" value="high" />

<param name="scale" value="showall" />

<param name="FlashVars"

value="&bgColor=0xFFFFFF&serverName=Documentation1.flash.internapcdn.net&appName=Docu

mentation1/_definst_&streamName=fish&autoPlay=true&skinName=http://http.vitalstreamcd

n.com/flashskins/clearSkin_1&bufferTime=3&autoRewind=true" />

<embed src="http://http.vitalstreamcdn.com/flashskins/FLVPlayer.swf"

flashvars="&bgColor=0xFFFFFF&configFile=&serverName=Documentation1.flash.internapcdn.

net&appName=Documentation1/_definst_&streamName=fish&autoPlay=true&skinName=http://ht

tp.vitalstreamcdn.com/flashskins/clearSkin_1&bufferTime=3&autoRewind=true&serverName=

Documentation1.flash.internapcdn.net" quality="high" scale="showall" width="640"

height="480" name="FLVPlayer" align="" salign="LT" type="application/x-shockwave-

flash" pluginspage="http://www.macromedia.com/go/getflashplayer" />

</object>



Token authentication can be added with a few parameters. MediaConsole does this when generating embed code for secure streams. The extra code needed is shown below in red. 



<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"

codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version

=7,0,0,0" width="640" height="480" id="FLVPlayer">

<param name="movie" value="http://http.vitalstreamcdn.com/flashskins/FLVPlayer.swf"

/>

<param name="align" value="" />

<param name="salign" value="LT" />

<param name="quality" value="high" />

<param name="scale" value="showall" />

<param name="FlashVars"

value="&bgColor=0xFFFFFF&serverName=Documentation1.secureflash.internapcdn.net&appNam

e=secure_Documentation1/_definst_&streamName=fish&autoPlay=true&skinName=http://http.

vitalstreamcdn.com/flashskins/clearSkin_1&bufferTime=3&autoRewind=true&token=##ENTER_

TOKEN##" />

<embed src="http://http.vitalstreamcdn.com/flashskins/FLVPlayer.swf"

flashvars="&bgColor=0xFFFFFF&configFile=&serverName=Documentation1.secureflash.intern

apcdn.net&appName=secure_Documentation1/_definst_&streamName=fish&autoPlay=true&skinN

ame=http://http.vitalstreamcdn.com/flashskins/clearSkin_1&bufferTime=3&autoRewind=tru

e&token=##ENTER_TOKEN##&serverName=Documentation1.secureflash.internapcdn.net"

quality="high" scale="showall" width="640" height="480" name="FLVPlayer" align=""

salign="LT" type="application/x-shockwave-flash"

pluginspage="http://www.macromedia.com/go/getflashplayer" />

</object>



7


7

Validating the Token

By default, the Flash Media Servers used for authenticated streaming do not allow anonymous connections to be made. Every attempted connection is validated before completing the connection. This validation is done by a real-time SOAP web service remote procedure at a location specified within the MediaConsole user interface. Once the connection is established the Flash Player is allowed to stream. Embedding the Unique Token for Windows Media The unique token needs to be passed along in the embed code for the media player. The next diagram displays the source code typically used to embed unauthenticated Windows video into a website using HTML.



<OBJECT id="mediaPlayer" width="320" height="240" classid="CLSID:22d6f312-b0f6-11d0-

94ab-0080c74c7e95"

codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Versi

on=5,1,52,701" standby="Loading Microsoft Windows Media Player components..."

type="application/x-oleobject">

<param name="src"

value="mms://Documentation1.wm.internapcdn.net/Documentation1/Butterfly.wmv">

<param name="animationatStart" value="true">

<param name="transparentatStart" value="true">

<param name="autoStart" value="true">

<param name="showControls" value="false">

<param name="loop" value="false">

<EMBED type="application/x-mplayer2"

pluginspage="http://microsoft.com/windows/mediaplayer/en/download/" id="mediaPlayer"

name="mediaPlayer" displaysize="4" autosize="-1" bgcolor="darkblue"

showcontrols="false" showtracker="-1" showdisplay="0" showstatusbar="-1"

videoborder3d="-1" width="320" height="240"

src="mms://Documentation1.wm.internapcdn.net/Documentation1/Butterfly.wmv"

autostart="true" designtimesp="5311" loop="false"> </EMBED>

</OBJECT>



Token authentication can be added with a few parameters. MediaConsole does this when generating embed code for secure streams. The extra code needed is shown in the next screen in red.

8


8




94ab-0080c74c7e95"




<param name="src"

value="mms://Documentation1.securewm.internapcdn.net/secure_Documentation1/Butterfly.

wmv?token=##ENTER_TOKEN##">











src="mms://Documentation1.securewm.internapcdn.net/secure_Documentation1/Butterfly.wm

v?token=##ENTER_TOKEN##" autostart="true" designtimesp="5311" loop="false"> </EMBED>

</OBJECT>




By default, the Windows Media Servers used for authenticated streaming do not allow anonymous connections to be made. Every attempted connection is validated before completing the connection. This validation is done by a real-time SOAP web service remote procedure at a location specified within the MediaConsole user interface. Once the connection is established the Windows Media Player is allowed to stream.

Embedding the Unique Token for HTTP Delivery (example shows Windows Media) The unique token needs to be passed along in the embed code for the media player. The diagram below displays the source code typically used to embed unauthenticated Windows video into a website using HTML.

9


9




94ab-0080c74c7e95"




<param name="src"

value="http://Documentation1.http.internapcdn.net/Documentation1/Butterfly.wmv">











src="http://Documentation1.http.internapcdn.net/Documentation1/Butterfly.wmv"

autostart="true" designtimesp="5311" loop="false"> </EMBED>

</OBJECT>



Token authentication can be introduced into the code above by adding a few subtle parameters. The MediaConsole GUI does this when generating embed code for secure streams. The diagram below shows the extra code needed for secure streams in red.




94ab-0080c74c7e95"




<param name="src"

value="http://Documentation1.securehttp.internapcdn.net/secure_Documentation1/Butterf

ly.wmv?token=##ENTER_TOKEN##">











src="http://Documentation1.securehttp.internapcdn.net/secure_Documentation1/Butterfly

.wmv?token=##ENTER_TOKEN##" autostart="true" designtimesp="5311" loop="false">

</EMBED>

</OBJECT>



10


10


By default, the HTTP Delivery Servers used for authenticated streaming do not allow anonymous connections. Every attempted connection is validated before completing the connection. Validation is done by a real-time SOAP web service remote procedure at a location specified within the MediaConsole user interface. Once the connection is established the requesting party is allowed to stream.

Creating a Validation Service

The SOAP web service remote procedure class is very basic. Information such as the contents of the token, client IP address and referrer (referrer authentication is limited to Windows Media implementation) are passed as parameters. A simple status should be returned that will correspond to “accepting” or “rejecting” the status. The web service can be implemented using ASP.NET, PHP and JSP. The web service must be developed to follow a very strict SOAP format. The format is described in the WSDL in the following screen.

11


11

<?xml version="1.0" ?>

<definitions name="VSAuthentication" targetNamespace=”http://vitalstream.com/webservices” xmlns:typens="http://vitalstream.com/webservices"xmlns:xsd="http://www.w3.org/2001/XM

LSchema" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"

xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"

xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"

xmlns="http://schemas.xmlsoap.org/wsdl/">

<types>

<xsd:schema xmlns="http://www.w3.org/2001/XMLSchema"

targetNamespace="http://vitalstream.com/webservices">

</xsd:schema>

</types>

<message name="doAuthenticate">

<part name="strAccount" type="xsd:string" />

<part name="strToken" type="xsd:string" />

<part name="strReferrer" type="xsd:string" />

<part name="strSourceURL" type="xsd:string" />

<part name="strClientIP" type="xsd:string" />

</message>

<message name="doAuthenticateResponse">

<part name="Result" type="xsd:int" />

</message>

<portType name="VSAuthenticationPort">

<operation name="Authenticate">

<input message="typens:doAuthenticate" />

<output message="typens:doAuthenticateResponse" />

</operation>

</portType>

<binding name="VSAuthenticationBinding" type="typens:VSAuthenticationPort">

<soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http" />

<operation name="Authenticate">

<soap:operation soapAction="http://vitalstream.com/webservices/Authenticate" />

<input>

<soap:body use="encoded" namespace="http://vitalstream.com/webservices"

encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" />

</input>

<output>

<soap:body use="encoded" namespace="http://vitalstream.com/webservices"

encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" />

</output>

</operation>

</binding>

<service name="VSAuthenticationService">

<port name="VSAuthenticationPort" binding="typens:VSAuthenticationBinding">

<soap:address location="http://localhost/VSAuthenticationWS/php/Authentication.php"

/>

</port>

</service>

</definitions>

12


12

Internap provides sample source code that may be modified to suit various types of customers. The sample includes an example in ASP.NET with C# and PHP. The source code and WSDL files are located in the Authentication section of MediaConsole Online Help. Below you will find an excerpt from the ASP.NET C# sample code. // IMPORTANT: Explicity set the web service to use RPC Binding of "Encoded"

[SoapDocumentService(Use =

System.Web.Services.Description.SoapBindingUse.Encoded)]

[WebService(Namespace = "http://vitalstream.com/webservicespublic class

Authentication : System.Web.Services.WebService

{

[WebMethod] // Attribute that exposes the method via web services

public int Authenticate(string strAccount, string strToken, string

strReferrer,

string strSourceURL, string strClientIP)

{

int intRetval = 0; // This is the value we ultimately return from

this method

try

{

// If the token is an even number we will allow access, if the

number is odd we reject

if (int.Parse(strToken) % 2 == 0) intRetval = 1;

}

catch (System.Exception)

{

}

return intRetval; // return ACCEPT(1) or REJECT(0)

}

}

This very basic example should not be used in a production environment because it would be trivial to predict. If the token is an even number the connection is accepted, if the token is odd then the connection is rejected. The design of the web service should take into consideration the amount of time needed to return a value. The longer the web service takes to return, the longer a client has to wait before the media begins streaming.

Documents

Authentication User Guide for: Flash Video Windows Media HTTP Delivery