[FFmpeg-devel] RTSP over HTTP tunnel authentication

Mon Jun 14 15:51:14 CEST 2010

On Sun, 13 Jun 2010, Stas Oskin wrote:

> > Not yet, a patch for that would be appreciated.
> >
> Attached is a quick and dirty patch for  HTTP tunnel authentication. The
> trick is to copy the HTTPAuthState from GET handler to POST handler.
> 
> For quick proof of concept I placed the HTTPContext structure inside the
> rtsp.c file, but it certainly advised to expose the HTTPContext structure in
> http.h or use any other technique for correct void pointer priv_data
> de-referencing.
> 
> This patch works on multiple RTSP over HTTP sources I tried, and was
> verified to comply to Apple HTTP tunneling protocol.

Do you have any sample URLs that we could test this with? When testing 
with DSS, the HTTP connection doesn't need any authentication at all, 
instead the tunneled RTSP communication does the auth negotiation just as 
usual.

I do agree that something like this may be needed, but I'm unsure what the 
best way of handling it is.

The problem is that authentication combined with (large) HTTP POSTs is 
tricky, to say the least. Normally, one would do the whole HTTP POST, 
sending both request header and body data, and only then you'd get the 403 
error reply saying which auth method to use (and a potential nonce, e.g. 
for digest auth). For this case, we would never get the 403 error telling 
us to reauthenticate until we're finished sending the POST data.

The proper solution to this is sending a Expect: 100-continue header in 
the POST request, then waiting for a while after sending the whole request 
header. The server is supposed to send either the 403 error, or an 100 
Continue reply, so that the auth can be negotiated before actually sending 
the body data of the request.

The problem, of course, is that few servers actually implement Expect: 
100-continue properly. Apache does, lighttpd doesn't. DSS doesn't 
implement it for the HTTP tunneling stuff either.

Also, copying the whole auth_state struct like this probably isn't a good 
solution in general, since for digest auth, I'm not sure you're allowed 
to reuse the nonces from the other request. Instead you should do a new 
request, to get unique digest auth parameters for that connection. But 
that would require using Expect: 100-continue, which can't be relied upon.

So for POST requests, I'm not sure if there's any good solution for 
general, multi-pass auth mechanisms. If we still want to support basic 
auth, we could perhaps do something like this:

  if ( get_request_hd->auth_state->auth_type == HTTP_AUTH_BASIC)
      post_request_hd->auth_state->auth_type  = HTTP_AUTH_BASIC;

So if we know we should use basic auth, use that on the post session, too.

// Martin