Jive provides the ability to view videos without sacrificing the security of your instance.
Jive also enables you to configure your video instance with additional security features.
The Jive Video plugin enables users to upload videos into Jive. To accomplish this, Jive has
partnered with a company called Twistage for video upload, encoding, storage, and playback. In
order to play video assets that have been uploaded, Jive uses a flash video player that is
provided by Twistage.
How Jive Makes Video Secure
- Users who view videos must be using a valid Jive instance. Jive uses an encrypted
security token to retrieve videos from the Content Delivery Network (CDN) and Twistage.
This token is verified with an authentication callback script before the video is played
for the user.
- Users who request videos must be authorized to view them. The security token passed from
Jive to the CDN/Twistage and back to Jive contains the information regarding whether the
user who is viewing the video has permission.
- Videos cannot easily be copied and stored locally.
- The video plugin uses Real Time Messaging Protocol (RTMP) to stream the video to the
flash player. This prevents the video from being cached on the user machine and
therefore makes it more difficult to record the video.
- Even though you can strip the embed code from a Jive video to view the video in a
third party page, the token associated with the video is only valid for the configured
amount of time and plays. Once one of these values are exceeded, the video no longer
plays.
- As a security precaution, most modern web browsers will block from playback any embedded videos
that do not support https endpoints. However, most sites that users are likely to embed videos
from support https endpoints. Your Jive instance does not have any control over this browser
behavior.
Overview of Security Architecture
The following outlines the request lifecycle for an authenticated RTMP video stream:
- The user attempts to view a video within Jive.
- While generating the video page, Jive generates an encrypted security token.
- When the user clicks play, the player requests the video from the CDN, passing along the
security token.
- The CDN calls Twistage using the video ID and authentication token to verify that it can
deliver the requested video content.
- Twistage calls a script on the Jive instance, called the "authentication callback
script", passing it the video ID and the authentication token.
- The authentication callback script determines whether the provided authentication token
is valid for viewing the provided video ID, and accepts or rejects the request with its
response code.
- Twistage responds to the CDN's verification request accordingly, and the CDN delivers
the video content to the browser or rejects the request.
- If your script returned an OK response code, the video plays on the page. If not, it
doesn't.
How Security Tokens Work
When you open a page that contains the Twistage video player plugin, Jive generates an
encrypted single-use security token that it passes to Twistage through the plugin. The token
contains the following information:
- The ID of the user requesting the video.
- The object type of the content. This should always be 1100.
- The ID of the video that is requested.
- The current time.
Jive encrypts the security token using Advanced Encryption Standard (AES) encryption and
intends for it only to be used once. When you play the video, Jive receives the token back
from the CDN via Twistage and validates the following token information:
- Is the user represented by the user ID authorized to view this video?
- Has the token expired? By default tokens will expire after 5 minutes. This timeout can
be configured using the 'video.max.token.time' property.
- Have the number of plays allowed by the token been exceeded? By default a token can be
used to play the video up to 5 times. This value can be configured using the
video.max.token.plays property.