RTSP - Basic Authentication

RTSP authentication use the implementation of HTTP authentication specified at RFC2617.

In RFC 2068, HTTP/1.1 section 11, provide details for Basic and Digeste authorization. However, RFC 2068 is obsolete and it will be better to read RFC 2617.

This entry only talks about Basic Authentication for RTSP.

Before understanding Basic RTSP authentication, you have to understand Basic HTTP authentication.

HTTP/1.1 Basic Authorization

When client access an unauthorized page, a Unauthorized 401 should be returned to the client. More importantly, the following header should be returned

WWW-Authenticate: Basic realm=your_realm

You should replace your_realm with your own security realm. Also, for HTTP page, it is recommended to return a HTTP Unauthorized 401 content with simple HTML code

Upon receiving the response, the client should retry with a username and password.

The credential format is username:password and this credential is Base64 encoded. The encoded credential should be placed in the following header

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

The server will Base64 decode the encode credential and perform its specific authentication process.

Below is a full example catch of Unauthroized 401 message

Below is a sample of HTTP header with Basic authorization

RTSP/1.0 Basic Authorization

Since RTSP/1.0 uses HTTP/1.1 authorization technique, it is rather simple to implement RTSP authentication.

RTSP authorization should be implement to all commands when it is enabled.

When a client send a RTSP commands, ie OPTION, to the server without authorization information, the server should response with a RTSP 401 unauthorized message with the following header

WWW-Authenticate: Basic realm=your_realm

You should replace your_realm with your own security realm.

Upon receiving the response, the client should retry with a username and password.

The credential format is username:password and this credential is Base64 encoded. The encoded credential should be placed in the following header

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

The server will Base64 decode the encode credential and perform its specific authentication process.

You should be feeling that the process is exactly the same as HTTP. The only different is they are communicating in RTSP protocol.

Below is an example of RTSP/1.0 401 Unauthorized response

Below is an example of RTSP/1.0 authorization message for SETUP command

The real trick is that all RTSP command requires a Authorization header.

Just an additional note, for RTSP over HTTP, you have to provide authorization header for authentication during POST and GET socket set up