Red5 Documentation

HLS Subscriber Authentication

If you wish to enable authentication for live HLS streams, you will need to take the following steps:

Standalone Server and Autoscale Nodes

red5-web.xml modification

You will need to uncomment the roundTripValidator bean, as described here. In addition, you will need to add http to the simpleAuthSecurity bean. It will look like:

<bean id="simpleAuthSecurity" class="com.red5pro.server.plugin.simpleauth.Configuration" >
    <property name="active" value="true" />
    <property name="rtmp" value="true" />
    <property name="rtsp" value="true" />
    <property name="rtc" value="true" />
    <property name="http" value="true" />
    <property name="rtmpAllowQueryParamsEnabled" value="true" />
    <property name="allowedRtmpAgents" value="*" />
    <property name="validator" ref="roundTripValidator" />
</bean>

web.xml modification

Uncomment the HLS authServlet in web.xml:

<!-- uncomment for HLS auth -->
    <!--
    <filter>
        <filter-name>authServlet</filter-name>
        <filter-class>com.red5pro.server.plugin.simpleauth.servlet.AuthServlet</filter-class>
        </filter>
        <filter-mapping>
            <filter-name>authServlet</filter-name>
            <url-pattern>*.m3u8</url-pattern>
        </filter-mapping>
-->

Client applications that use new session requests for each file or segment, such as newer VLC apps, will not be able to include a query string with the authentication parameters for requests beyond the first for the playlist. If you know that your subscriber can support the additional requests then you may want to include the *.ts filter mapping.

<filter>
    <filter-name>authServlet</filter-name>
    <filter-class>com.red5pro.server.plugin.simpleauth.servlet.AuthServlet</filter-class>
    </filter>
    <filter-mapping>
            <filter-name>authServlet</filter-name>
            <url-pattern>*.m3u8</url-pattern>
    <filter-mapping>
            <filter-name>authServlet</filter-name>
            <url-pattern>*.ts</url-pattern>
    </filter-mapping>
    <filter-mapping>
            <filter-name>authServlet</filter-name>
            <url-pattern>*.m4*</url-pattern>
    </filter-mapping>
    </filter-mapping>

Stream Manager

To implement VOD HLS authentication for StreamManager API calls, modify the red5pro/webapps/live/WEB-INF/web.xml, replacing the standard M3U8ListingServlet with the following:

<servlet>
    <servlet-name>playlists</servlet-name>
    <servlet-class>com.red5pro.server.plugin.simpleauth.servlet.M3U8ListingServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>playlists</servlet-name>
    <url-pattern>/playlists/*</url-pattern>
</servlet-mapping>

This replaces the com.red5pro.stream.transform.mpegts.server.M3U8ListingServlet class with com.red5pro.server.plugin.simpleauth.servlet.M3U8ListingServlet which provides authentication, as opposed to the unmodified version which allows any request.

Passing Authentication Credentials

Authentication credentials for HLS subscribers should be passed in the URL, for example: https://myserver.com/live/stream1.m3u8?username=user&password=pass&token=token