soundscreen
Embedding QuickTime
Illustrated Embed Tag
Embed Tag Attributes
Interactive Form
Detecting QuickTime via JavaScript
Basic Streaming
Basic Server Setup
Compression for Streaming
Using QTSS Publisher
Posting Files to the Server
Linking Pages to Streams
Using Playlists
Live Streaming
Advanced Streaming
Authenticating Media Access
Streaming through Firewalls
Setting up Relays
Using CGI to Create Pages
Resources & Downloads
Downloads on this Site
Links to Other Sites
Cool Examples
Streaming Directory Listing
Movie Database
Synchronized Web Presentation
Interactive Examples
Other Sites with Cool Stuff
Page Contents
Introduction
Users and Groups
The qtaccess file
Authentication Example

Authenticating Media Access

Introduction

The streaming server supports authentication. Using this technique access to specific directories on the server can be restricted to authenticated users. The streaming server supports RTSP authentication as defined in IETF RFC 2326. The specific implementation on streaming server is similar to Apache htaccess authentication, requiring the creation of a qtaccess file in the directory to be restricted. Authentication is generally required for "automatic unicasts" as outlined here on this site.

Once placed in a directory, the qtaccess file applies to that directory and all subdirectories. If a subdirectory contains another qtaccess file, then it will take precedence. Authentication uses two additional files in the Config directory of the streaming server. The qtusers file contains a list of users and their encrypted passwords. Users can be added to qtusers using the qtpasswd command-line utility. The qtgroups file contains group names followed by a list of usernames.

The default location of these files on the server is as follows:

Platform Location of qtuser and qtgroups
Mac OS X /Library/QuickTimeStreaming/Config/
Linux, BSD, Solaris /etc/streaming/
Windows C:\Program Files\Darwin Streaming Server\

On Mac OS X and other Unix based systems, the qtusers and qtgroups files can only be altered by root: To execute the qtpasswd utility on these systems or edit the files you must "sudo." For example, to run qtpasswd and change the password for the user "fred":
sudo qtpasswd -p fred

To edit the qtgroups file on a Unix system with the pico editor:
sudo pico /etc/streaming/qtgroups

Creating and Editing qtusers and qtgroups files

The qtpasswd command-line utility can be used to create or edit the qtusers and qtgroups files. The syntax for the command is:

Usage: qtpasswd [-F] [-f filename] [-c] [-g groupsfilename] [-r realm] [-p password] [-P passwordfile] [-A group] [-D group] [-d] [username]
The flags for this command are:
-F Don't ask for confirmation when deleting users or overwriting existing files.
-f Password file to manipulate (Default is "/Library/QuickTimeStreaming/Config/qtusers").
-c Create new file.
-g Groups file to manipulate (Default is "/Library/QuickTimeStreaming/Config/qtgroups"). If not found, will create one when necessary.
-r The realm name to use when creating a new file via "-c" (Default is "Streaming Server").
-p Allows entry of password at command line rather than prompting for it
-P File to read the password from rather than prompting for it.
-d Delete the user. (Deletes the user from all groups).
-A Add user to group. Will create group automatically if group is not already present.
-D Delete the user from the group.
-C Create new group. Do not specify username with this option.
-R Delete the group. Do not specify username with this option.
-h Displays usage.
-v Displays usage.
-? Displays usage.
Notes:
  • The username must always be specified except when -C and -R options are used to create/delete group.
  • Usernames cannot be more than 255 characters long and must not include a colon [:].
  • Passwords cannot be more than 80 characters long.
  • Groups cannot be more than 255 characters long and must not include a colon [:].
  • If the username/password contains whitespace or characters that may be interpreted by the shell please enclose it in single quotes, to prevent it from being interpolated

The qtaccess file

The qtaccess file is a text file in the streaming server's Movies directory or subdirectory. All media files in the directory with the qtaccess file and its subdirectories will be protected by the qtaccess file. The parameters in the file include:
AuthName <message>
This is the name of the authentication domain. This is not supported in the current dialog box, so this option will have no effect on client systems.
AuthUserFile <user filename>
This is the name of the user file. If it is not specified, the default qtusers file will be used.
AuthGroupFile <group filename>
This is the name of the groups file. If it is not specified, the default qtgroups file will be used.
AuthScheme
This can be used to change the authentication scheme to either digest or basic, providing the ability to specify the authentication scheme on a directory by directory basis.
require user <username1> <username2>
The "require user" statement limits access to the media directory to the specified list of users specified.
require group <groupname1> <groupname2>
The "require group" statement limits access to the media directory to the specified list of groups specified.
require valid-user
The "require valid-user" statement limits access to the media directory to any valid users from the qtusers file.
require any-user
The "require any-user" statement provides unlimited access to the media directory.
<Limit Write>
</Limit>
The "require" statements above can be placed within the <Limit Write></Limit> tags. This construct is used for the RTSP announce protocol to limit the users that can broadcast through the server. It is outlined in greater detail here.

Authentication example

This step by step example demonstrates how authentication to a directory can be accomplished.

  1. Create the user in qtusers using the qtpasswd command from the command-line. In this example we'll create the user "john". The responses from the system are in italics.
    sudo qtpasswd john
    Adding userName john
    New password: ******
    Re-type new password: ******
  2. Next we'll add the user john to the qtgroups file using pico.
  3. Now the qtaccess file can be created in the directory we want to authenticate. To double-check the file we'll list it from the command-line using the "cat" command (we could use "type" on Windows):
    /Library/QuickTimeStreaming/Movies/protected admin$ cat qtaccess
    require group AuthUsers