Applying Security by Using Authentication and Authorization

Applying Security by Using Authentication and Authorization

Authentication and authorization plug-ins can be enabled for an origin server, a proxy server, or both. For example, if an authentication plug-in is enabled for a proxy server and a client requests a connection to an origin server, the proxy issues a 407 response message to indicate that proxy authentication is required. The client must then supply credentials that the plug-in on the proxy server can use to verify identity. If an authentication plug-in is also enabled on the origin server, the proxy attempts to establish a connection to the origin by, for example, issuing a Get request. The origin server responds with a 401 message indicating that access is unauthorized. The proxy passes this message to the client, and the client must again supply credentials. The proxy passes the credentials to the origin server. The origin server then attempts to verify the client's identity. This is illustrated by the following diagram.

In general, if an upstream server issues authentication challenges, content from that server cannot not be cached. Because a cache proxy plug-in does not typically request that the proxy server contact the origin server and perform a freshness check unless content has expired, the origin does not have the opportunity to authenticate and authorize the client. Therefore, a Windows Media cache proxy server proxies rather than caches content that requires authentication and authorization.

Similarly, a proxy server cannot split a playlist broadcast from any upstream server that requires authentication and authorization. Whenever a proxy server splits a broadcast, there is only one connection between the proxy and the origin. Therefore, the proxy cannot send credentials for any client that connects after the first, and it is possible that security applied to a playlist or to specific files within the playlist will be violated. Because there is only one stream from the origin to the proxy server, all clients connected to the proxy would receive the stream whether or not they are authorized to view all of its constituent elements. Therefore, each connected client must receive its own broadcast proxied from the origin server, and there will be one connection per client.

Finally, if a content provider begins requiring authentication and authorization for previously unsecured digital content, it is recommended that the file be removed from the cache proxy server and resaved on the origin server to adjust the last modified date. The next freshness check will therefore discover that the file has been changed, and, because it now requires authentication, the cache manager will not allow it to be downloaded again.

See Also

• Windows Media Server Cache Proxy Functionality