[FFmpeg-devel] RTSP over HTTP tunnel authentication
Mon Jun 14 15:51:14 CEST 2010
On Sun, 13 Jun 2010, Stas Oskin wrote:
> > Not yet, a patch for that would be appreciated.
> Attached is a quick and dirty patch for HTTP tunnel authentication. The
> trick is to copy the HTTPAuthState from GET handler to POST handler.
> For quick proof of concept I placed the HTTPContext structure inside the
> rtsp.c file, but it certainly advised to expose the HTTPContext structure in
> http.h or use any other technique for correct void pointer priv_data
> This patch works on multiple RTSP over HTTP sources I tried, and was
> verified to comply to Apple HTTP tunneling protocol.
Do you have any sample URLs that we could test this with? When testing
with DSS, the HTTP connection doesn't need any authentication at all,
instead the tunneled RTSP communication does the auth negotiation just as
I do agree that something like this may be needed, but I'm unsure what the
best way of handling it is.
The problem is that authentication combined with (large) HTTP POSTs is
tricky, to say the least. Normally, one would do the whole HTTP POST,
sending both request header and body data, and only then you'd get the 403
error reply saying which auth method to use (and a potential nonce, e.g.
for digest auth). For this case, we would never get the 403 error telling
us to reauthenticate until we're finished sending the POST data.
The proper solution to this is sending a Expect: 100-continue header in
the POST request, then waiting for a while after sending the whole request
header. The server is supposed to send either the 403 error, or an 100
Continue reply, so that the auth can be negotiated before actually sending
the body data of the request.
The problem, of course, is that few servers actually implement Expect:
100-continue properly. Apache does, lighttpd doesn't. DSS doesn't
implement it for the HTTP tunneling stuff either.
Also, copying the whole auth_state struct like this probably isn't a good
solution in general, since for digest auth, I'm not sure you're allowed
to reuse the nonces from the other request. Instead you should do a new
request, to get unique digest auth parameters for that connection. But
that would require using Expect: 100-continue, which can't be relied upon.
So for POST requests, I'm not sure if there's any good solution for
general, multi-pass auth mechanisms. If we still want to support basic
auth, we could perhaps do something like this:
if ( get_request_hd->auth_state->auth_type == HTTP_AUTH_BASIC)
post_request_hd->auth_state->auth_type = HTTP_AUTH_BASIC;
So if we know we should use basic auth, use that on the post session, too.
More information about the ffmpeg-devel