CDN's content authentication service is the technology that allows only authorized user to access your content. It performs a token based authentication before delivering content. An authentication token can be obtained from the SoftLayer customer portal or API and it needs to be appended to the CDN URL. When an end-user requests a file, CDN server will check the validity of the token passed via HTTP GET string with a remote web service provided by SoftLayer. Then the content will be delivered if the value returned from the web service is good otherwise the connection will be rejected. The token authentication web service call is made in real time and it will hold the incoming connection until receiving a value returned from the website.
There are several scenarios where this authentication capability could be useful. Websites can prevent other rogue websites from linking to their videos. Content owners can prevent users from passing around HTTP links, thus forcing them to login to view contents.
To use the content authentication service, you need to place your content to the right directories. Please refer to the table below:
| Media Type |
CDN FTP Directory |
Example URL |
|
| HTTP |
/media/securehttp |
http://securehttp.cdnlayer.com/secure_myCdnName/example.jpg?token=ramdomTokenString |
|
| Streaming Flash |
/media/secureflash |
rtmp://secureflash.cdnlayer.com/secure_myCdnName/example.flv?token=ramdomTokenString |
|
| Streaming Windows Media |
/media/securewm |
mms://securewm.cdnlayer.com/secure_myCdnName/example.wmv?token=ramdomTokenString |
- |
There are 2 different types of tokens:
Timed Token
Timed tokens are expired after the seconds you specify. You can set the expiration date of a token by passing a number of seconds. For example, if you pass 3600 for the token life to getTimedToken method, it will return a token that will expire after an hour of its creation. There is no way to revoke a timed token. To create a timed token, use getTimedToken method and it takes 3 parameters:
* Token Life (required)
:This value determines how long a token will be valid. If you want to create a token that expires in an hour, you can pass 3600. The minimum value is 60 seconds and the maximum is 604800 which is a week.
*Client IP (optional)
:If set, the token validation process will match the client IP address. A valid IP address should be an IPv4 format or an IP block. If you want to block access from IP 211.37.0.0/16, you can enter "211.37." instead. IP blocks can be specified in the manner of "8bit times n".
* Referring domain (optional)
:The referrer or referring page is the URL of the previous webpage from which a link was followed. You can further restrict access to your contents by matching referrer information. Set this value only if you are certain about referrer you're expecting. You can only set a domain or an IP address without a path or a file name in it. This can be a part of your domain. If you want to grant access from any of your subdomains, set the root domain as a referring domain.
Managed Token
Unlike timed tokens, managed tokens do NOT expire. It is your responsibility to manage the validity of the managed tokens. You can revoke a single token, multiple tokens or all managed tokens. To create a managed token, use createObject method and it takes 3 parameters:
* Name (optional)
:You can use a user id or an account id from your system for a token name. This value has no effect on the token validation. This value can be useful if you want to associate a token with a user in your system. It also can be handy when revoking a token.
* Client IP (optional)
:If set, the token validation process will match the client IP address. A valid IP address should be an IPv4 format or an IP block. If you want to block access from IP 211.37.0.0/16, you can enter "211.37." instead. IP blocks can be specified in the manner of "8bit times n".
* Referring domain (optional)
:The referrer or referring page is the URL of the previous webpage from which a link was followed. You can further restrict access to your contents by matching referrer information. Set this value only if you are certain about referrer you're expecting. You can only set a domain or an IP address without a path or a file name in it. This can be a part of your domain. If you want to grant access from any of your subdomains, set the root domain as a referring domain.
If you want to implement your own authentication web service, please refer to this setContentAuthenticationWsdl method.