-

Ready to use – Red5 streamer with stream security


As RTMP continues to grow, and Red5 triumphs as the only open source RTMP server alive, there are concerns to protect your application from misuse. The following red5 application implements stream security for both playback and publishing.

You can edit the files – allowedHTMLdomains.txt and allowedSWFdomains.txt and add the domain names that you want to be able to playback/publish using your application. Each domain name must be added in a  new line.

The application also lets you allow/disallow publishing entirely. To do so edit the file red5-web.xml and set enable publish as true/false according to your needs:

<bean class="org.red5.core.security.PublishSecurity" init-method="init" id="publishSecurity">
<property name="application" ref="web.handler" />
<property name="htmlDomains" value="/WEB-INF/allowedHTMLdomains.txt" />
<property name="swfDomains" value="/WEB-INF/allowedSWFdomains.txt" />
<property name="publishNames" value="/WEB-INF/allowedPublishNames.txt" />
<property name="enablePublish" value="true" />
</bean>

You can also set stream publish security by defining specif stream names that are allowed for recording/broadcasting in the file allowedPublishNames.txt

Note : putting a * in any of the three security files will disable security for the particular context. Eg: Putting a * in allowedPublishNames.txt means that stream check is disabled.

This application is created for a quick and easy deployment, with guidance from red5.org.

Download:

Customstreamer_domaincontrol_source_0.8

Customstreamer_domaincontrol_deployable_0.8 [rtmp application name: domaincontrol]

Or generate your own with Red5 – Online Application Generator

1

Hacking Private Channels Of Ustream

Recently working on a custom player implementaion on ustream.com using their api, i found a huge loophole that i would like to share.  Ustream lets you create public/private channels and then broadcast on them using fmle or swf based publisher. Private channels can be password protected, so only people with right password can view it. But here is the catch !! The password based security system is pretty invalid in itself.

While programming on the platform i noticed that the player uses amf protocol to send receive data to server.  So here is how you can hack any one’s private channel (password protected).

1.  Go to https://addons.mozilla.org/en-US/firefox/addon/1843/ and install firebug extension for firefox.

2.  Go to the page which hosts the private channel and open the firebug debug panel. Make sure you have enabled the Net panel.

Firebug NetPanel

3.  Next without much effort if you see you will notice that, while going through the requests made by the site to ustream, the amf call with the password tagged to it is very clearly visible.

Password Reveal

So there you have it both channel id and password for the stream !. Not so protected is it now ? 🙂

last comments
Mike Loftus
Mike Loftus

Has this method been fixed by ustream? I am not having any luck. I am trying to watch: http://www.ustream.tv/recorded/9438662 If…

4

Record Live Stream With Red5 Media Server

Most commonly known modes of working in RTMP servers  are the live, record and append modes. However a most commonly required mode which is not provided in the flash API is the Live-Record mode. Each RTMP server has its own way of implementing it on the server side. Here we will see how to use flash client and Red5 to do live-record.

Red5 Server Application Code: – [ Goes into Application Class ]

/** {@inheritDoc} */
@Override
public boolean connect(IConnection conn, IScope scope, Object[] params) {
return true;
}

/** {@inheritDoc} */
@Override
public void disconnect(IConnection conn, IScope scope) {
super.disconnect(conn, scope);
}

@Override
public void streamPublishStart(IBroadcastStream stream)
{
try {
stream.saveAs(stream.getPublishedName(), false);
} catch (Exception e) {
e.printStackTrace();
}
}

@Override
public void streamBroadcastClose(IBroadcastStream stream)
{
System.out.print("Broadcast Closed");
}

@Override
public void streamBroadcastStart(IBroadcastStream stream)
{
System.out.print("Broadcast Started");
}

In the above code you will see there are two events for handling BroadcastStart:  streamBroadcastStart and streamPublishStart. We will typically use streamPublishStart which is safer. The method saveAs takes two parameters: savefilename and append. When append is true Red5 will try to append new stream data to existing file , in which case it may throw exception if file was not existing. Thus we surround the statement by a  try… catch block to handle such situations.

Flash Client Sample:

In your flash client code you create a simple publisher and publish the stream as live stream. Red5 will automatically begin recording the stream at server end.

import flash.events.NetStatusEvent;
import flash.events.StatusEvent;
import flash.media.*;
import flash.system.*;
import flash.events.MouseEvent;
import fl.controls.Button;

var mic:Microphone;
var cam:Camera;
var micAllowed:Boolean = false;
var camAllowed:Boolean = false;
var nc:NetConnection = new NetConnection();
var ns:NetStream;

nc.addEventListener(NetStatusEvent.NET_STATUS,onNetStatus);
nc.connect("rtmp://localhost/customstreamer");

function onNetStatus(e:NetStatusEvent):void
{
switch(e.info.code)
{
case "NetConnection.Connect.Success":
initStream();
attachDevices();
break;
}
}

function onStreamStatus(e:NetStatusEvent):void
{
trace(e.info.code);
}

function initStream()
{
ns = new NetStream(nc);
ns.addEventListener(NetStatusEvent.NET_STATUS,onStreamStatus);
}

function attachDevices():void
{
mic = Microphone.getMicrophone();
cam = Camera.getCamera();
if(mic != null) configureMic();
if(cam != null) configureCam();
}

function configureMic()
{
mic.rate = 22;
mic.gain = 50;
mic.setLoopBack(true);
mic.setUseEchoSuppression(true);
mic.addEventListener(StatusEvent.STATUS, onMicStatus);
}

function configureCam()
{
cam.setLoopback(true);
cam.setMode(176,144,15);
cam.setKeyFrameInterval(5);
cam.setQuality(0,70);
cam.addEventListener(StatusEvent.STATUS, onCamStatus);
vid.attachCamera(cam);
}

function onMicStatus(s:StatusEvent):void
{
switch(s.code)
{
case "Microphone.Unmuted":
micAllowed = true;
break;

case "Microphone.Muted":
micAllowed = false;
break;
}

validateRecorder();
}

function onCamStatus(s:StatusEvent):void
{
switch(s.code)
{
case "Camera.Unmuted":
camAllowed = true;
break;

case "Camera.Muted":
camAllowed = false;
break;
}

validateRecorder();
}

function validateRecorder()
{
if(camAllowed || micAllowed)
{
btnStart.addEventListener(MouseEvent.CLICK,onStart);
btnStop.addEventListener(MouseEvent.CLICK,onStop);
}
}

function onStart(me:MouseEvent):void
{
ns.attachAudio(mic);
ns.attachCamera(cam);
ns.publish("demostream","live");
}

function onStop(me:MouseEvent):void
{
ns.close();
}

You will notice that in the above code we stream cam/mic data in live mode. And our server side code captures the live broadcast into a flv container.

Download FLA: (required Flash CS5)

last comments
Jorj
Jorj

Thank you so much! I've been searching for this functionality :)
adilfacron
adilfacron

Thank you for example. I have a queston. I tried your example, everything worked well but recorded flv contains nothing…
PJ
PJ

Thank you. Great example. I think Red5 is a great alternative to FMS & Wowza since its open source with…
oliver_vip
oliver_vip

thax alot! this is a thanksgiving letter from China!

4

Live Streaming With Flash Media Encoder & Red5

Online live streaming is one of the top ranks that Adobe Flash holds at the moment. Although you will find many web-based flash recorders and live streaming applications, none can match the Adobe Flash Media Live Encoder. As i have noticed FMLE has a much superior encoding quality as compared to any swf based encoder (more…)

last comments
Chris
Chris

Red 5 comes actually without midiDemo and i dont know how to install it :(
rashdan
rashdan

hi, is there any other way to view the live stream without using publisher? for example plain html or java.…
Gwyneth Llewelyn
Gwyneth Llewelyn

You can use the "live" app instead. I don't have the midiDemo either...
Gwyneth Llewelyn
Gwyneth Llewelyn

You might take a look at this: https://stackoverflow.com/a/43647089 It seems to work well with minimal HTML5 and linking to a…