Re: Problem with Digest Authentication in DSS 4.0

Subject: Re: Problem with Digest Authentication in DSS 4.0
From: Mythili Devineni <email@hidden>
Date: Fri, 24 May 2002 11:06:29 -0700

Ross

The server doesn't keep the RTSPSession around once an error was sent back in the RTSP response. There is no need for it to keep the first RTSPSession around when it gets the second RTSP request (this time with the authentication headers).

Digest authentication works in DSS 4.0. Your qtaccess file is set up incorrectly. The limit end tag is </Limit>, and not </Limit READ> or </Limit WRITE>

What is really happening? The access file authentication code finds a qtaccess file, but it is incorrect, so the limit tags and all lines within them are ignored. The qtaccess file is then a blank file. The presence of a qtaccess file without any lines implies that no one is authorized to view the content in this directory or broadcast to this directory.

Try changing your qtaccess file to :
<Limit WRITE>
	require valid-user
</Limit>
require valid-user

Note: You don't need the <Limit READ> </Limit> directive for read access, as the default is for read access. Anything outside the Limit WRITE directives is treated as fields for read access.

Let me know if this doesn't work for you
mythili

On Wednesday, May 22, 2002, at 11:17 PM, Ross Finlayson wrote:

I'm having trouble getting Digest Authentication to work properly in DSS 4.0 (while handling a RTSP "ANNOUNCE"). The problem seems to be caused by the fact that DSS is creating a new "RTSPSession" object for each incoming RTSP request.

My "qtaccess" file is set up as follows <Limit WRITE> require valid-user </Limit WRITE> <Limit READ> require valid-user </Limit READ> and I have a password entry set up for the user "theuser" in the "qtusers" file.

My client begins by sending an "ANNOUNCE" request without any "Authorization:" header:
-------------------------------------------------
ANNOUNCE rtsp://ns.live.com:7070/h263plusTest.sdp RTSP/1.0
CSeq: 1
Content-Type: application/sdp
Content-length: 213
v=0
o=- 49452 4 IN IP4 127.0.0.1
t=0 0
m=audio 6666 RTP/AVP 3
c=IN IP4 66.80.62.34/127
a=control:trackID=1
m=video 8888 RTP/AVP
c=IN IP4 66.80.62.34/127
a=rtpmap:96 H263-1998/90000
a=control:trackID=2
-------------------------------------------------
to which the server responds:
------------------------------------------------- RTSP/1.0 401 Unauthorized Server: DSS/4.0 (Build/421; Platform/FreeBSD;) Cseq: 1 WWW-Authenticate: Digest realm="Streaming Server", nonce="1f93b29d8c8bf9f247a8548cb03d5569" -------------------------------------------------

So far, so good. My client then sends another request - this time with an "Authorization" header containing a Digest:

------------------------------------------------- ANNOUNCE rtsp://ns.live.com:7070/h263plusTest.sdp RTSP/1.0 CSeq: 2 Content-Type: application/sdp Authorization: Digest username="theuser", realm="Streaming Server", nonce="1f93b29d8c8bf9f247a8548cb03d5569", uri="rtsp://ns.live.com:7070/h263plusTest.sdp";, response="6df9ce0da8a5b3ab5b6b15dd0f622ade" Content-length: 213
v=0
o=- 49452 4 IN IP4 127.0.0.1
t=0 0
m=audio 6666 RTP/AVP 3
c=IN IP4 66.80.62.34/127
a=control:trackID=1
m=video 8888 RTP/AVP 96
c=IN IP4 66.80.62.34/127
a=rtpmap:96 H263-1998/90000
a=control:trackID=2
-------------------------------------------------
(I have confirmed that "response" was constructed correctly.) Despite this, the server then responds with another "401 Unauthorized" response:

------------------------------------------------- RTSP/1.0 401 Unauthorized Server: DSS/4.0 (Build/421; Platform/FreeBSD;) Cseq: 2 WWW-Authenticate: Digest realm="Streaming Server", stale="true", nonce="c4e222484b897a0e18cea55515dcd02e" -------------------------------------------------

On debugging the DSS, I found that the problem seems to be that the call to "GetSessionTask()" (in "TCPListenerSocket::ProcessEvent()") causes a completely new "RTSPSession" object to be constructed for each request. So, when handling the second "ANNOUNCE" request, the DSS is using a different "RTSPSession" from the one that it used to handle the first "ANNOUNCE" request. Because of this, the following code - in the routine "RTSPSession::CheckAuthentication()", line 1440 - is not working properly (when handling the second "ANNOUNCE"):
            if(responseDigest->Equal(requestDigest)) {
               if(!(nonce->Equal(*(fRTPSession->GetAuthNonce()))))
                  fRequest->SetStale(true);
The first "if" is succeeding, as it should (because the "response" digest in the request matches the hash that the server constructs). However, because "fRTPSession" is completely new for this request, "fRTPSession->GetAuthNonce()" is NULL, and so the second "if" also succeeds. Because of this, this request gets marked as 'stale'. Consequently, at the end of "RTSPSession::CheckAuthentication()", "qtssUserName" is set to NULL, which later causes authentication to fail.
My first thought was to try to fix this by changing the second "if" to:
               if(fRTPSession->GetAuthNonce() != NULL
                  && !(nonce->Equal(*(fRTPSession->GetAuthNonce()))))
                  .....
With this change, the second "ANNOUNCE" gets authenticated and succeeds OK. However, the subsequent "SETUP" requests also fail with "401 Unauthorized", so it doesn't really help.

The real problem here is that "RTSPListenerSocket::GetSessionTask()" is creating a new "RTSPSession" object for each request. If, instead, the same "RTSPSession" object were used for both "ANNOUNCE" requests (and the subsequent "SETUP"s), the Digest Authentication would probably work correctly.

So, is this a bug? Has anyone gotten Digest Authentication to work properly with DSS 4.0?

Ross. _______________________________________________ streaming-server-developers mailing list | streaming-server- email@hidden Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/streaming-server-developers Do not post admin requests to the list. They will be ignored.

_______________________________________________
streaming-server-developers mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/streaming-server-developers
Do not post admin requests to the list. They will be ignored.

Follow-Ups:
- Re: Problem with Digest Authentication in DSS 4.0
  - From: Ross Finlayson <email@hidden>

References:
	>Problem with Digest Authentication in DSS 4.0 (From: Ross Finlayson <email@hidden>)

Prev by Date: Re: Performance testing
Next by Date: Re: Help!! Problems streaming MJPEG formatted data with QTSS and QuickTime Player
Previous by thread: Problem with Digest Authentication in DSS 4.0
Next by thread: Re: Problem with Digest Authentication in DSS 4.0
Index(es):
- Date
- Thread

Home