Frequently Asked Questions
How to Password Protect Red5 Pro Apps Using Simple HTTP Basic Realm Authentication
INTRODUCTION
SECURING RED5 PRO WITH BASIC HTTP SECURITY
- STEP 1: CONFIGURING USER ACCOUNT & ROLE
- STEP 2: REGISTERING SECURITY WITH REALM
- STEP 3: SECURING RED5 PRO APPS USING HTTP BASIC AUTHENTICATION
- STEP 4: VERIFYING SECURITY
Please note: we also have a simple authentication plugin as well.
INTRODUCTION
Tomcat has a few different means for authenticating a user who opens the web pages we provide. Red5 pro starts up tomcat as a sub module and so, has a few minor variations from your usual configuration setups. Hence we cannot secure red5 pro using exactly the same instructions that are meant for securing a standard tomcat installation.
In the following sections we will see how to implement memory realm security to protect a resource(s) on Red5 pro. You may look up the hows and whys of realm security on tomcat’s official documentation page.
REFERENCE:
OFFICIAL TOMCAT DOCUMENTATION ON REALM SECURITY:
https://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
SECURING RED5 PRO WITH BASIC HTTP SECURITY
NOTE: Before starting on security configuration, make sure that your Red5 pro server is not running. If it is running make sure to stop it.
STEP 1 : CONFIGURING USER ACCOUNT & ROLE
Edit tomcat-users.xml file located at {red5home}/conf/tomcat-users.xml in a text editor.
File : {red5home}/conf/tomcat-users.xml
<tomcat-users>
<user
name="admin"
password="admin"
roles="admin" />
<user
name="tomcat"
password="tomcat"
roles="tomcat" />
<user
name="role1"
password="tomcat"
roles="role1" />
<user
name="both"
password="tomcat"
roles="tomcat,role1" />
</tomcat-users>
- The root of the XML structure is the <tomcat-users> element, which holds the <user> elements.
- Each <user> element contains the required attributes for each user – name (username for authentication), password (plain text password), and roles (comma-separated list of roles that the user belongs to, used for authorization).
- You can edit an existing <user> entry.
Example:
<user
name="admin"
password="securepassword"
roles="admin" />
Or create your own <user> entry by appending a user element to the list of existing user elements.
Example:
<user
name="peter"
password="peterpan"
roles="peter" />
NOTE:
Roles can be of custom types other than the default roles such as admin, tomcat etc.
Save and close the file {red5home}/conf/tomcat-users.xml.
STEP 2 : REGISTERING SECURITY WITH REALM
FROM OFFICIAL APACHE TOMCAT DOCS:
“A Realm element represents a “database” of usernames, passwords, and roles (similar to Unix groups) assigned to those users. Different implementations of Realm allow Catalina to be integrated into environments where such authentication information is already being created and maintained, and then utilize that information to implement Container Managed Security as described in the Servlet Specification”
Tomcat supports multiple realms for implementing security. The most basic kind of realm is the memory realm.
The user access file – {red5home}/conf/tomcat-users.xml is loaded into memory a as a database. Once HTTP basic authentication is activated on one or more scopes of the server, it refers authentication to this in-memory database to authorize requests.
TO REGISTER MEMORY REALM SECURITY FOR RED5 PRO:
- Edit the file : {red5home}/conf/context.xml in a text editor
- Add the following line in it just after the starting <Context> tag.
<Realm className="org.apache.catalina.realm.MemoryRealm" />
- Save and close the file.
This will ensure that memory realm is used throughout Red5 pro applications.
File : {red5home}/conf/context.xml
<Context>
<Realm className="org.apache.catalina.realm.MemoryRealm" />
<!-- Default set of monitored resources -->
<WatchedResource>
WEB-INF/web.xml
</WatchedResource>
<WatchedResource>
META-INF/context.xml
</WatchedResource>
<!-- Uncomment this to disable session persistence across Tomcat restarts -->
<!-- <Manager pathname="" /> -->
<!--
Uncomment this to enable Comet connection tacking (provides events
on session expiration as well as webapp lifecycle)
-->
<!-- <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" /> -->
<!-- <Loader loaderClass="org.red5.server.tomcat.WebappClassLoader" useSystemClassLoaderAsParent="false" /> -->
</Context>
STEP 3 : SECURING RED5 PRO APPS USING HTTP BASIC AUTHENTICATION
Now that we have prepared our user access configuration data and instructed Red5 pro to use MemoryRealm security for all application contexts, we can now activate security at application level individually or secure all of them centrally.
TO SECURE A RED5 PRO APPLICATION:
- Edit the Red5 pro application’s WEB-INF/web.xml file in a text editor
- Configure the application to use MemoryRealm by adding the following xml section to the web.xml file.
XML SNIPPET
<security-constraint>
<web-resource-collection>
<web-resource-name>{appname}</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
Where {appname} implies the application’s name to which we are adding security (usually the folder name is the application name).
This configuration tells the web application to use HTTP BASIC authentication scheme to authenticate user for user role admin.
You will likely want to add the authentication in the root and live webapps, as well as any other that you are using.
Note: Do not add authentication in the streammanager webapp on a stream manager, as this will prevent the nodes from communicating with the cloudwatch service.
STEP 4 : VERIFYING SECURITY
TO TEST SECURITY:
- Start Red5 pro from the terminal by running {red5home}/red5.sh (linux/mac) or {red5home}/red5.bat (windows)
- Once red5 has completed startup visit the application’s url in browser:
http://{red5prohost}:5080/{appname}
Where {red5prohost} is your red5 pro server host/ip and {appname} is the red5 application name. - If everything was properly setup following previous steps you should now be greeted with a http authentication dialog box in the browser.
4. Enter the username as admin and password as securepassword
(As configured earlier in STEP 1).
5. If you are unable to authenticate due to repeated authentication failure or cancel the process the server returns a 401 response and displays a tomcat error message.
6. On successful authentication, you should be able to see the page/location you requested (if it is renderable).
IMPORTANT NOTE:
Activating realm security on the root webapp will NOT block access to other webapps
original: ??? ??/??/??; revised Jes 11/6/2020