How to Password Protect Red5 Pro Apps Using Simple HTTP Basic Realm Authentication

INTRODUCTION

SECURING RED5 PRO WITH BASIC HTTP SECURITY

  • STEP 1: CONFIGURING USER ACCOUNT & ROLE
  • STEP 2: REGISTERING SECURITY WITH REALM
  • STEP 3: SECURING RED5 PRO APPS USING HTTP BASIC AUTHENTICATION
  • STEP 4: VERIFYING SECURITY

 Please note: we also have a simple authentication plugin as well.

INTRODUCTION
Tomcat has a few different means for authenticating a user who opens the web pages we provide. Red5 pro starts up tomcat as a sub module and so, has a few minor variations from your usual configuration setups. Hence we cannot secure red5 pro using exactly the same instructions that are meant for securing a standard tomcat installation.

In the following sections we will see how to implement memory realm security to protect a resource(s) on Red5 pro. You may look up the hows and whys of realm security on tomcat’s official documentation page.

 

REFERENCE:

OFFICIAL TOMCAT DOCUMENTATION ON REALM SECURITY:
https://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

 

SECURING RED5 PRO WITH BASIC HTTP SECURITY

NOTE: Before starting on security configuration, make sure that your Red5 pro server is not running. If it is running make sure to stop it.

 



STEP 1 : CONFIGURING USER ACCOUNT & ROLE

Edit tomcat-users.xml file located at {red5home}/conf/tomcat-users.xml in a text editor.


File : {red5home}/conf/tomcat-users.xml

<tomcat-users>

 

   <user

       name="admin"

       password="admin"

       roles="admin" />

 

   <user

       name="tomcat"

       password="tomcat"

       roles="tomcat" />

 

   <user

       name="role1"

       password="tomcat"

       roles="role1" />

 

   <user

       name="both"

       password="tomcat"

       roles="tomcat,role1" />


</tomcat-users>

 

  • The root of the XML structure is the <tomcat-users> element, which holds the <user> elements.
  • Each <user> element contains the required attributes for each user – name (username for authentication), password (plain text password), and roles (comma-separated list of roles that the user belongs to, used for authorization).
  • You can edit an existing <user> entry.

 

Example:

<user

       name="admin"
       password="admin"
       roles="admin" />

Or create your own <user> entry by appending a user element to the list of existing user elements.


Example:

<user
name="peter"
password="peterpan"
roles="admin" />


NOTE:
Roles can be of custom types other than the default roles such as admin, tomcat etc. For our context we shall consider only the admin role.


Edit and change the password for admin user to something more secure. Do not change the role for admin user.

<user

       name="admin"

       password="securepassword"

       roles="admin" />


Save and close the file {red5home}/conf/tomcat-users.xml.

 

 


 

STEP 2 : REGISTERING SECURITY WITH REALM

 

FROM OFFICIAL APACHE TOMCAT DOCS:

“A Realm element represents a "database" of usernames, passwords, and roles (similar to Unix groups) assigned to those users. Different implementations of Realm allow Catalina to be integrated into environments where such authentication information is already being created and maintained, and then utilize that information to implement Container Managed Security as described in the Servlet Specification”

Tomcat supports multiple realms for implementing security. The most basic kind of realm is the memory realm.

The user access file - {red5home}/conf/tomcat-users.xml is loaded into memory a as a database. Once HTTP basic authentication is activated on one or more scopes of the server, it refers authentication to this in-memory database to authorize requests.

 

TO REGISTER MEMORY REALM SECURITY FOR RED5 PRO:

 

  1. Edit the file : {red5home}/conf/context.xml in a text editor

  2. Add the following line in it just after the starting <Context> tag.

    <Realm className="org.apache.catalina.realm.MemoryRealm" />

  3. Save and close the file.

 


This will ensure that memory realm is used throughout Red5 pro applications.

 

 

File : {red5home}/conf/context.xml

<Context>

 

<Realm className="org.apache.catalina.realm.MemoryRealm" />

 

   <!-- Default set of monitored resources -->

   <WatchedResource>

WEB-INF/web.xml

   </WatchedResource>

 

   <WatchedResource>

META-INF/context.xml

   </WatchedResource>

 

   <!-- Uncomment this to disable session persistence across Tomcat restarts -->

   <!-- <Manager pathname="" /> -->



   <!--

        Uncomment this to enable Comet connection tacking (provides events

        on session expiration as well as webapp lifecycle)

 

   -->

   <!-- <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" /> -->

   <!-- <Loader loaderClass="org.red5.server.tomcat.WebappClassLoader" useSystemClassLoaderAsParent="false" /> -->


</Context>

 

 


 

STEP 3 : SECURING RED5 PRO APPS USING HTTP BASIC AUTHENTICATION

Now that we have prepared our user access configuration data and instructed Red5 pro to use MemoryRealm security for all application contexts, we can now activate security at application level individually or secure all of them centrally.


TO SECURE A RED5 PRO APPLICATION:

  1. Edit the Red5 pro application's WEB-INF/web.xml file in a text editor

  2. Configure the application to use MemoryRealm by adding the following xml section to the web.xml file.


XML SNIPPET

<security-constraint>

<web-resource-collection>

<web-resource-name>{appname}</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>admin</role-name>

</auth-constraint>

</security-constraint>

 

<login-config>

<auth-method>BASIC</auth-method>

</login-config>

 

<security-role>

<role-name>admin</role-name>

</security-role>


Where {appname} implies the application’s name to which we are adding security(usually the folder name is the application name).

This configuration tells the web application to use HTTP BASIC authentication scheme to authenticate user for user role admin.


Save and close the red5 pro application’s WEB-INF/web.xml file.

 

 


 

STEP 4 : VERIFYING SECURITY

TO TEST SECURITY:

  1. Start Red5 pro from the terminal by running {red5home}/red5.sh (linux/mac) or {red5home}/red5.bat (windows)

  2. Once red5 has completed startup visit the application’s url in browser:

    http://{red5prohost}:5080/{appname}

    Where {red5prohost} is your red5 pro server host/ip and {appname} is the red5 application name.

  3. If everything was properly setup following previous steps you should now be greeted with a http authentication dialog box in the browser.

 

4. Enter the username as admin and password as securepassword
(As configured earlier in STEP 1). 

  

5. If you are unable to authenticate due to repeated authentication failure or cancel the process the server returns a 401 response and displays a tomcat error message.

6. On successful authentication, you should be able to see the page/location you requested (if it is renderable).

IMPORTANT NOTE:
TO SECURE ALL APPLICATIONS AT ONCE, ACTIVATE REALM SECURITY ON THE
root APPLICATION USING STEP 3.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.