The Steps of One Time Token Operations
Attention: We have migrated our documentation to our new platform, Ant Media Resources. Please follow this link for the latest and up-to-date documentation.
NOTE: We have updated our documentation. This page is outdated. You can access updated version from the sidebar menu.
NOTE: We have updated our documentation. This page is outdated. You can access updated version from the sidebar menu.
The one-time token method is one of the effective authentication methods to secure your streams. Ant Media Server offers one-time token security control option with 1.5.0 version.
- TokenId: Generated a random string from service.
- StreamId: The Id of the resource that the user wants to reach.
- ExpireDate: The expiration date of the token (Use Unix Timestamp, such as 1560771964).
- Type: Either
publishorplaytoken.
Firstly, the setting should be enabled in the management panel.
The Server creates tokens with getToken Rest Service getting streamId, expireDate and type parameters with query parameters. Service returns tokenId and other parameters. It is important that streamId and type parameters should be defined properly. Because tokenId needs to match with both streamId and type.
The sample token creation service URL:
http://[IP_Address]:5080/<Application_Name>/rest/broadcast/getToken?id=<Stream_Id>&expireDate=<Expire_Date>&type=publish
Please note that calling this rest service from remote is restricted due to the security reasons. Please add the requester IP addresses to "Use IP Filtering for RESTful API" section in Settings Tab of the application.
The system controls token validity during publishing or playing.
RTMP Publishing: You need to add a token parameter to RTMP URL before publishing. Sample URL:
rtmp://[IP_Address]/<Application_Name>/<Stream_Id>?token=tokenId
WebRTC Publishing: Token parameter should be inserted to publish WebSocket message.
{
command : "publish",
streamId : "stream1",
token : "tokenId",
}For details about WebRTC WebSocket messaging please visit wiki page.
The Server creates tokens with getToken Rest Service getting streamId, expireDate and type parameters with query parameters. Service returns tokenId and other parameters. It is important that streamId and type parameters should be defined properly. Because tokenId needs to match with both streamId and type.
The sample token creation service URL:
http://[IP_Address]:5080/<Application_Name>/rest/broadcast/getToken?id=<Stream_Id>&expireDate=<Expire_Date>&type=play
Please note that calling this rest service from remote is restricted due to the security reasons.
If you want to remove this filtering mechanism please remove the below lines from webapps-> {Application} -> WEBINF -> web.xml
<filter>
<filter-name>RestAuthenticationFiler</filter-name>
<filter-class>io.antmedia.serverapp.pscp.filter.RestAuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>RestAuthenticationFiler</filter-name>
<url-pattern>/rest/*</url-pattern>
</filter-mapping>Live Stream/VoD Playing: Same as publishing, the token parameter is added to URL. Sample URL:
http://[IP_Address]/<Application_Name>/streams/<Stream_Id_or_Source_Name>?token=tokenId
WebRTC Playing: Again the token parameter should be inserted to play WebSocket message.
{
command : "play",
streamId : "stream1",
token : "tokenId",
room : "roomId"
}Please have a look at the principles described in the wiki page.
Ant Media Server evaluates based on its properties to secure your streams. Whether it is valid for the requested stream or not is controlled. Another important control process is checking the type of the token. Because the developer or administrator may give access to a user to play a stream but not publish to this stream even with the same streamId.
Once the token is successfully validated by Ant Media Server, then it is removed from the database so that other requests with the same token will be dismissed. Since consecutive requests are sent during playing/accessing streams, the session information saved after the one-time token is consumed.