Protecting content

All editions of Adobe Media Server support features that protect your content from being stolen and misused. Some features, such as true streaming, are intrinsic to the server and don’t need to be configured. Other features, such as enhanced RTMP (RTMPE), can be configured or disabled using XML configuration files. Still other features, such as controlling read and write access to specific server folders, can be custom built using client-side ActionScript and Server-Side ActionScript.

For a definitive guide to Adobe Media Server security, see Hardening guide for Adobe Media Server in the Adobe Developer Center.

Use Protected HTTP Dynamic Streaming to serve live and on-demand protected content to Flash Player and AIR over HTTP without using a DRM License Server. Protected HTTP Dynamic Streaming also supports SWF verification. When Adobe Media Server packages the content, it generates the license and embeds it in the metadata of the content stream.

Use Protected HTTP Live Streaming to serve live and on-demand protected content to iOS and MacOS without using a DRM License Server.

For more information, see Protected HTTP Dynamic Streaming and Protected HTTP Live Streaming.

Adobe Media Server can stream content encrypted by Adobe Access to Flash Player and AIR applications. Adobe Media Server can stream encrypted FLV files, encrypted MP4/F4V files, and encrypted HTTP Dynamic Streaming files. You can stream encrypted files using all supported protocols.

No specific configuration is required for Adobe Media Server to work with Adobe Access.

For more information, see the Adobe Access.

Adobe Media Server supports features that prevent unauthorized clients from sending streams to the server or from playing streams they aren’t authorized to access.

All server editions support the following features:

• Verify SWF files.

  You can configure Adobe Media Server to verify client SWF files before allowing them to connect to an application. This technique ensures that only SWF files you created can access this server. Third parties cannot create their own SWF files that attempt to stream your resources. For more information, see Verify SWF files.

• Allow and deny connections from specified domains.

  For more information, see Restrict which domains can connect to a virtual host.

All editions except Adobe Media Server Standard support the following features:

• Use the File plug‑in to verify SWF files. See Retrieving external SWF files for verification.

• Generate a unique key that is verified against the server, or request and accept an encrypted token from an application server.

• Use the Server-Side ActionScript Client object. This object provides information about clients that you can use to accept or reject connection requests. Check the URL of the SWF file or the server from which the client connection originated using the Client.referrer property. Check the IP address of the client using the Client.ip property.

• Verify the Flash Player version.

For more information about these features, see Securing applicationsin the Developer’s Guide.

The following techniques allow developers and administrators to control the data a client can access:

• Use the Server-Side ActionScript Client.readAccess and Client.writeAccess properties to specify a client’s read/write permissions to server resources, such as shared objects and streams.

• Use the Server-Side ActionScript Client.audioSampleAccess and Client.videoSampleAccess properties to allow a client to access raw, uncompressed data from streams in specified folders.

• Use the Authorization plug‑in to authorize access to events on the server such as playing and publishing streams. See Developing an Authorization plug-in.

• Configure virtual storage folders for streams, shared objects, and files. For more information, see Configuring content storage.

• Use the Access plug‑in to accept, reject, or redirect connections before they reach the server-scripting layer. For more information, see Developing an Access plug-in.

You can pass credentials, such as a user name and password, in the client-side NetConnection.connect() call and verify them against an external resource, such as a database, LDAP server, or other access-granting service. For more information, see Authenticate users.