Is there a test Playreadyready encrypted SMOOTH stream that needs a license URL and token? I had a look into http://playready.directtaps.net/smoothstreaming/ and got a playready encrypted stream http://playready.directtaps.net/smoothstreaming/SSWSS720H264PR/SuperSpeedway_720.ism/Manifest .
However, this plays even without a license server URL and token. Had a look into Microsoft Azure media services for encrypting a content, however encryption option is disabled in free version. Thanks!
I had this problem too, usually the license server URL is embedded on the Manifest file, when AVPlay doesn't get the URL on the config, it gets the license URL from the manifest and starts playback.
Related
This post became much longer than anticipated, TLDR: Where is my ASFS Federation Metadata located on my server? My overall task to the setup a test ADFS server in order to integrate our current application with ADFS
Hello, I'm trying to integrate our application with ADFS (it's a WPF application with a NodeJS backend), and I'm testing out Auth0 for this job (but if there are other simple solutions, I would be open to that as well - I've found no good guides so far ): espeically as a developer with no AD experience).
Regardless, I think I've set up a single server AD FS environment (locally as server1.local - with AD CS, AD DS and AD FS and that same server is the domain controller/DNS server) and set up an Auth0 relying party using this guide:
https://auth0.com/docs/connections/enterprise/adfs
In the next steps part, it says: try these quickstart guides. So I've downloaded the Angular2 quick start example project to test. But when I go to the enterprise connections and try to set up an ADFS connection, it asks for a ADFS URL
You can either provide the ADFS URL or upload the federation metadata file.
But I can't seem to find my ADFS URL. Not only that, my server is local, so it wouldn't be able to use my URL anyways right? I can just upload the metadata instead?
I've tried going to https://server1.local/federationmetadata/2007-06/federationmetadata.xml and https://127.0.0.1/FederationMetadata/2007-06/FederationMetadata.xml and https://localhost/FederationMetadata/2007-06/FederationMetadata.xml which under endpoints that's the one that shows, but ie says:
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://server1.local again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
I've enabled TLS 1.0, 1.1 and 1.2 and this still doesn't seem to give me my metadata. I've also tried that URL on Chrome and it gives a generic "This site can't be reached"
How do I get my metadata?
In the ADFS configuration, look for what you configured as your federation service name.
Use this in the URL.
https://federation service name/federationmetadata/2007-06/federationmetadata.xml
BTW the federation service name should not be the FQDN of the server.
I am developing an in-house enterprise application with iOS and am slightly concerned about security. If anyone intercepts the URL containing the IPA file then they will be able to download and use the file. Is there any way of making this more secure? I know I can put the link behind a login system but if someone copies the URL and shares it, others will be able to download.
http://example.com/
manifest.plist">Install App
The only way to achieve this is to have temporary credentials as URL Parameter! (Authorization Header don't work so forget about oauth).
The security (user, password, token, etc) has to come from the backend.
And more: http is not working. You need https (in detail TLS>=1.2) and trusted TLS certifactes (selfsigned not working).
I need to protect my API for CSRF on post and put requests.
To do that, I think the mobile device (example iOS) need to send to the API server (node.js) a token. This token must be encrypted and contain a JSON data that will be decrypted server side.
To decrypt the data, the mobile device use the same secret key that the sever know.
For example : {_csrf: 123456789} will be decrypted from the token sent via the mobile device and checked by the API if it match.
Is it the right way ? If not what is the right way ?
How I can encrypt a Jon data on iOS and decrypt it on node.js ? (JWT Token does not have library for iOS)
Can you provide me a example code to encrypt data on iOS et decrypt on node.js ?
Just use https, it encrypts everything, even any query string.
The content is encrypted with a random symmetric key and that key is encrypted with a asymmetric key from the certificate. Additionally the symmetric key has a short lifetime. Additionally you do not have to implements and encryption routines.
Also note that iOS9 will by default require https to be used for all connections, any http connections will need to be white-listed in the plist.
If you do your own encryption you immediately have a problem sharing the encryption key between the device and the server. This is not an easy problem to solve.
When accessing the API from a browser page, to protect against CSRF, you can send a token in HTTP headers, for example, X-CSRF-Token, or, use a cookie.
For example, have your server send the CSRF token in an HTTP response using the X-CSRF-Token header. You can have your page send it back in the JSON on the POST or PUT. Or have your page read it from the cookie and put it into the JSON.
(HTTPS from the browser will not protect against CSRF, since any script on any other site running in the same browser can POST to your HTTPS server freely. Your page needs to have a token that no other page in the same browser has access to.)
I have an iPhone app that uses a Rails server HTTP API. The API is public at this point - no authorisation is required to get the data.
Currently anyone can go to API's URL and download the data.
http://server.com/mydata
The data is not very sensitive. But I still want to prevent people from easily getting it. What are the ways of doing that? I do not want iOS app users to log in either.
Current solution I have
iPhone app adds a secret token to the HTTP header or query of the request. The data goes over HTTPS.
https://server.com/mydata?secret=my_secret
Is there a better approach?
You could try an approach where the client is only allowed X number of requests per time period (based on IP address or username)
HTTPS is extremely easy to man in the middle on a device you control. You can do SSL cert validation, but there is always someone out there with more time, so best off to handle it server side.
Distribute and use your own SSL certificate.
Apps that transfer sensitive customer data, like credit card and payment information, must be protected from man-in-the middle attacks. The best protection is a mutual authentication scheme, where certificates are exchanged to make sure the app is connected to a trusted server and to make sure the server is connected to a trusted app.
Then only individuals (who have presumably installed your application) have access. If someone digs through the code and gets the public certificate then they can impersonate the client; but at that point they win anyway and two-factor authentication should be explored.
I'm creating a viewer app for Windows Phone 7. The app already handles the OAuth2 stuff and succesfully browses Google Doc's folder structure.
I use Google Documents List API 3. BTW browsing works perfectly without using request headers, instead I append the access_token to the request Uri.
Now the app needs to show files to the user, if possible without downloading them first. This means that I want to set the UI's Image.Source to the Uri of an image, the UI's MediaElement.Source to the Uri of a video and the BackgroundAudioPlayer.Track.Source to the Uri of an audio file. Obviously I can't use request headers in this scenario.
However it seems that simply appending the access_token to the download Uri doesn't work. The UI elements fail with generic error messages, and if I manually try with a web browser (which isn't logged in to Google) it shows an empty screen, a 401 error or it redirects to Google's login page.
Is it possible to download/stream a Google Data entry just by defining the Uri? If yes, what does the Uri need to look like?
Support for authorization using the access_token URL parameter has not been allowed on purpose for security reasons. Basically if a user would be to open a malicious file on a browser (e.g html containing some Javascript would suffice) the malicious code on the file could steal the access token in the URL and send it to a third party bad guy.
To access the file you need to authorize using "Authorization" HTTP header. Simply add an HTTP header to the request which is like:
Authorization: Bearer access_token_here