DRM Support For Static Content
MAS supports digital rights management (DRM) for your content via a central authorization server. This method of content protection requires you to have an authorization URL where all requests for protected content must first be authorized.
How It Works
When a client requests protected content over MAS, the path of the file and any HTTP GET query parameters are sent via HTTP POST to the authorization URL configured for the site. If the request is authorized, the authorization server responds with an HTTP 200 response. The content body of the response can optionally contain a JSON object with the correct path for the content on the origin server. Any other response from the authorization server is considered as an authorization failure and the client will receive an HTTP 403 error instead of the requested content.
To add DRM support for your static content ensure that you have a working authorization server. The MAS CDN node receiving the request for protected content will send an HTTP POST request to the URL of the authorization server. The POST request will contain these two fields:
- path - path for the requested content, example: /protected/video.mp4
- host - full subdomain of your MAS configuration, example: protected-t1.griffinmas.com or cname.yourdomain.com
In addition, any HTTP GET query parameters in the URL will be sent as POST fields. So if your content URL is:
The full content of the POST request to your authorization server will be:
Your authorization server must respond with an HTTP 200 status code. The content body can optionally contain a JSON object:
If supplied, this JSON object will be used as the path when first retrieving and caching the content from your origin server. This is useful if you wish to embed the authorization data in the content path itself instead of using HTTP GET query parameters. Using the same example above, but without the use of HTTP GET query parameters, the URL would look like:
In this URL example, the token, user id and expiration date becomes part of the content path. The MAS cache node server will send the path field as "protected/123/abcd/1234567890/video.mp4" which you can then easily validate on your authorization server.
Once you have a working authorization server, you will need to add your authorization server URL and protected content paths to your configuration.
- Login to your MAS account.
- Click on "Configurations" in the top menu.
- Click on the configuration you wish to edit.
- Click on "DRM Protection" in the left menu.
- In the "Authorization Servers" tab, enter the full URL to your authorization server. MAS allows multiple authorization servers to support high-availability. If the first server fails to respond, the next server is tried, and so on. If all servers fail to respond, the client receives an HTTP 403 error.
- In the "Secure Paths" tab, enter the path fragments that you wish to protect. You can select the match method, "Starts with", "Ends with", or "Contains". Multiple Secure Paths can be specified and each one will be tried in order until a match is found for the requested path.
- Activate your configuration if it is not yet activated.
The "Secure Path" containing only a forward slash character "/" is treated as a special case. This allows you to protect all paths on your origin server. If the first Secure Path is a "/", all the other Secure Paths after it will be ignored.