Protect Red5 Pro Streams with Simple Authentication

Simple Authentication is the quickest way to add connection-level access control to your Red5 Pro streams. You define username/password pairs in a credentials file and configure which application and protocols require authentication — then clients pass their credentials as connection parameters when they publish or subscribe.

How it works

The red5pro-simple-auth-plugin intercepts every incoming connection to your Red5 Pro application. When a client connects to publish or subscribe, the plugin extracts the username and password parameters and checks them against a credential store. If the credentials match, the connection proceeds; otherwise, Red5 Pro rejects it. You can choose between two credential stores:

In-memory (properties file)

Credentials are loaded from RED5_HOME/conf/simple-auth-plugin.credentials at startup and held in memory. Changes require a server restart.

File validator (per-app)

Each application can point to its own credentials file inside its WEB-INF directory, giving you isolated credential sets per app.

Step 1 — Configure the plugin

The global plugin settings live in RED5_HOME/conf/simple-auth-plugin.properties. By default, the plugin is inactive server-wide; you enable it per-application using the application-level bean (see step 2).

# RED5_HOME/conf/simple-auth-plugin.properties

# Set to true to enforce authentication on ALL applications by default
simpleauth.default.active=false

# Default credentials file (relative to RED5_HOME/conf)
simpleauth.default.defaultAuthValidatorDataSource=simple-auth-plugin.credentials

# Protocols to secure when active=true
simpleauth.default.rtmp=true
simpleauth.default.rtsp=true
simpleauth.default.rtc=true

# Allow RTMP clients to pass credentials in the query string
simpleauth.default.rtmp.queryparams=true

# Allowed RTMP agent strings (* = all)
simpleauth.default.rtmp.agents=*

If you set simpleauth.default.active=true, every application on the server requires authentication. Leave it false to enable authentication selectively per application.

Step 2 — Enable authentication for an application

Add the simpleAuthSecurity bean to your application’s context file. For the built-in live application, that file is RED5_HOME/webapps/live/WEB-INF/red5-web.xml.

<!-- RED5_HOME/webapps/live/WEB-INF/red5-web.xml -->

<bean id="simpleAuthSecurity" class="com.red5pro.server.plugin.simpleauth.Configuration">
    <property name="active" value="true" />
    <property name="rtmp"   value="true" />
    <property name="rtsp"   value="true" />
    <property name="rtc"    value="true" />
    <property name="rtmpAllowQueryParamsEnabled" value="true" />
    <property name="allowedRtmpAgents"           value="*" />
</bean>

This configuration requires authentication on RTMP, RTSP, and WebRTC connections. Any missing property falls back to the value in simple-auth-plugin.properties.

Bean properties reference

Property	Type	Description
`active`	Boolean	Enables or disables authentication for this application
`rtmp`	Boolean	Enforces authentication on RTMP connections
`rtsp`	Boolean	Enforces authentication on RTSP connections
`rtc`	Boolean	Enforces authentication on WebRTC connections
`rtmpAllowQueryParamsEnabled`	Boolean	Allows RTMP clients to pass credentials in the URL query string
`allowedRtmpAgents`	String	Semicolon-separated list of permitted RTMP agent strings; `*` allows all
`validator`	Reference	Bean reference to a custom validator (omit to use the default file validator)

Step 3 — Add credentials

Edit RED5_HOME/conf/simple-auth-plugin.credentials. Each line holds one username/password pair separated by a single space.

# RED5_HOME/conf/simple-auth-plugin.credentials
#
# Format: username password  (one pair per line)

publisher1 secret123
viewer1    viewpass

To add a user, append a new line. To remove a user, delete the corresponding line.

Red5 Pro must be restarted for credential changes to take effect when using the default in-memory validator.

Step 4 — Connect clients with credentials

Clients must include username and password as connection parameters. The plugin extracts and validates these values before the publish or subscribe action is allowed.

WebRTC (HTML5 SDK)
RTMP (ActionScript)
RTSP — Android
RTSP — iOS
RTMP — FFmpeg

Pass credentials via the connectionParams property of your base configuration object.

var baseConfiguration = {
  host: 'your-server.com',
  app: 'live',
  iceServers: iceServers,
  bandwidth: desiredBandwidth,
  connectionParams: {
    username: 'publisher1',
    password: 'secret123'
  }
};

Pass username and password as the first two arguments to NetConnection.connect().

var nc:NetConnection = new NetConnection();
nc.addEventListener(NetStatusEvent.NET_STATUS, onStatus);
nc.connect("rtmp://your-server.com/live", "publisher1", "secret123");

function onStatus(ns:NetStatusEvent):void {
    trace(ns.info.code);
}

If rtmpAllowQueryParamsEnabled is true, you can also embed credentials in the URL:

nc.connect("rtmp://your-server.com/live?username=publisher1&password=secret123");

Set credentials on the R5Configuration object using semicolon-delimited key/value pairs.

R5Configuration config = new R5Configuration(
    R5StreamProtocol.RTSP,
    TestContent.GetPropertyString("host"),
    TestContent.GetPropertyInt("port"),
    TestContent.GetPropertyString("context"),
    TestContent.GetPropertyFloat("buffer_time"));

config.setParameters("username=publisher1;password=secret123;");
R5Connection connection = new R5Connection(config);

Assign a semicolon-delimited parameter string to config.parameters.

func getConfig() -> R5Configuration {
    let config = R5Configuration()
    config.host        = Testbed.getParameter("host") as! String
    config.port        = Int32(Testbed.getParameter("port") as! Int)
    config.contextName = Testbed.getParameter("context") as! String
    config.parameters  = "username=publisher1;password=secret123;"
    config.protocol    = 1
    config.buffer_time = Testbed.getParameter("buffer_time") as! Float
    return config
}

Embed credentials in the RTMP URL as query parameters.

ffmpeg -re -i input.mp4 \
  -c:v h264 -c:a aac \
  -f flv "rtmp://your-server.com:1935/live?username=publisher1&password=secret123/myStream"

Using a per-application credentials file

To keep credentials isolated for a specific application, configure a custom file validator bean and point it at a credentials file inside the application’s WEB-INF directory.

Copy the credentials file

Copy RED5_HOME/conf/simple-auth-plugin.credentials to RED5_HOME/webapps/live/WEB-INF/simple-auth-plugin.credentials and add the credentials for this application.

Add the validator bean to red5-web.xml

<bean id="authDataValidator"
      class="com.red5pro.server.plugin.simpleauth.datasource.impl.Red5ProFileAuthenticationValidator"
      init-method="initialize">
    <property name="context"    ref="web.context" />
    <property name="dataSource" value="/WEB-INF/simple-auth-plugin.credentials" />
</bean>

<bean id="simpleAuthSecurity" class="com.red5pro.server.plugin.simpleauth.Configuration">
    <property name="active"                     value="true" />
    <property name="rtmp"                       value="true" />
    <property name="rtsp"                       value="true" />
    <property name="rtc"                        value="true" />
    <property name="rtmpAllowQueryParamsEnabled" value="true" />
    <property name="allowedRtmpAgents"           value="*" />
    <property name="validator"                   ref="authDataValidator" />
</bean>

Restart Red5 Pro

Restart the server so the new bean configuration and credentials file are loaded.

The file validator is ideal when different applications on the same server need separate credential sets, or when you want to manage credentials per app independently.

Cluster support

When you run a Red5 Pro cluster, the cluster-restreamer process that replicates streams from origin to edge nodes is itself a connecting client. When Simple Authentication is active, you must allow the restreamer to authenticate. Add the following entry to your credentials file on every node:

cluster-restreamer <your-cluster-password>

The cluster password is the value set in RED5_HOME/conf/cluster.xml. This ensures the restreamer can authenticate just like any other client.

When to use Simple Authentication

Good fits

Small deployments with a fixed set of known publishers and subscribers
Two-way chat applications where every participant has a credential pair
Internal or staging environments where ease of setup matters more than scalability
Situations where you need to know who is connecting (named users)

Poor fits

Applications with anonymous or dynamic user bases (no fixed credentials)
One-to-many broadcasts where you need to distinguish publishers from a large subscriber audience — consider JWT Authentication or Round-Trip Authentication instead
Large deployments that require per-user access control without restarting the server to reload credentials

​How it works

In-memory (properties file)

File validator (per-app)

​Step 1 — Configure the plugin

​Step 2 — Enable authentication for an application

​Bean properties reference

​Step 3 — Add credentials

​Step 4 — Connect clients with credentials

​Using a per-application credentials file

​Cluster support

​When to use Simple Authentication

How it works

Step 1 — Configure the plugin

Step 2 — Enable authentication for an application

Bean properties reference

Step 3 — Add credentials

Step 4 — Connect clients with credentials

Using a per-application credentials file

Cluster support

When to use Simple Authentication