Attention: You must use the secure RTMPE protocol along with SecureToken when connecting to Wowza to fully protect content from the latest “leech” program:
RTMPE://[wowza-ip-address]/secureApplication.
Below are the instruction to add SecureToken protection to JW player. As of JW Player 4.1 SecureToken is now built into the player (thank you Jeroen!!!).
Install the Wowza Pro SecureToken example by double clicking on [wowza-pro-install-dir]/examples/SecureToken/install.sh (this will setup the Wowza Pro application securetoken with a secureTokenSharedSecret of #ed%h0#w@1)
Start Wowza Pro
Download the JW player 4 for Flash source code from here: JW Player for Flash (JW Player is commercial software).
Edit [jw-source-code]/com/jeroenwijering/models/RTMPModel.as and enter the secure token value (around line 186):
from:
TEA.decrypt(evt.info.secureToken,model.config['token']));
to:
TEA.decrypt(evt.info.secureToken,"#ed%h0#w@1"));
Open [jw-source-code]/player.fla in Flash CS3 and select File: Publish to generate a new [jw-source-code]/player.swf file
Edit [jw-source-code]/readme.html and change the flashvars param in the script section (around line 60):
from:
to:
Where [wowzapro-ip-address] is the ip address of the server running Wowza Pro. Note the RTMPE protocol.
Note: Once you have it working with the example shared secret, you can update the shared secret to your own value by following these steps:
- Edit [wowza-pro-install-dir]/conf/securetoken/Application.xml and change the secureTokenSharedSecret property to the new value and restart Wowza Pro_- Edit [jw-source-code]/com/jeroenwijering/models/RTMPModel.as and change the string passed to the secureTokenResponse callback to the same value as above and use Flash CS to re-publish the player.swf file_-
I have updated the instructions for JW Player 4.1. Much simpler now since it is built in. Send a big thank you email to Jeroen (mail@jeroenwijering.com). It does require that you get the latest source code from subversion.
I just tried your exact code against the 4.1 source code (I did download the 4.1 zip archive at http://code.jeroenwijering.com/trac/browser/tags) and it worked perfectly. No errors. Not sure what is wrong.
I just download the most recent Replay Media Catch 3.0.1 (with all the new plugins) and SecureToken blocks it for me. The file does show up in the list but it is not populated with any data and in the Wowza Pro logs I can see the Replay Media Catcher connection being blocked:
INFO application app-start definst securetoken/definst
INFO session connect-pending 192.168.1.2 -
INFO server comment - SecureTokenTarget: create:true play:false publish:false
INFO session connect 192.168.1.2 -
INFO stream create - -
INFO session connect-pending 192.168.1.2 -
INFO server comment - SecureTokenTarget: create:true play:false publish:false
INFO session connect 192.168.1.2 -
ERROR server comment - Error: SecureToken: Challenge does not equal response: kill connection
ERROR server comment - Error: SecureToken: Action before response received: kill connection
INFO stream create - -
INFO stream destroy - -
INFO session disconnect 2072201024 -
INFO stream play Extremists -
INFO stream stop Extremists -
INFO stream destroy Extremists -
INFO session disconnect 692588433 -
If you still can’t sort out why it is not protecting your content zip up and send me your conf and logs folders so I can have a look (charlie@wowza.com).
Could you please verify how to get the securetoken with the latest version of the JW player (4.1). I tried it with this well written documentation but it didnt work.
I’m not sure I understand the level of security this provides.
If the secure token shared secret is embedded in the player, then anyone who downloads the modified player.swf file could then play the protected videos.
If that means restricting access to the modified player.swf file, then that also means that to create different access control lists, I would need to have numerous customized player.swf files.
None of any recorder apps could do the job but I still couldnt prevent anyone to embed player from our page through source. Someone took the html code and embed from our site onto theirs. It seems that SecureToken is not a solution to prevent that way. A guy mentioned about Secure URL so anyone has an idea to secure even I added our domain on a xml file under wms that it shouldnt stream anywhere except a specific domain but still it does.
The above instructions are for the current version. I have not tried them lately but they should work. That being said, I know there was a problem with the initial release of JW Player 4.4 and SecureToken. I suggest you check the JW Player site. They were suppose to have fixed it.