Protection of static resources prevents playback of videos

[trueeh]

Opencast is installed by default with protection of static resources. This leads to an error 403 when a video is to be played in mod_opencast.

In "opencast/org.opencastproject.fsresources.StaticResourceServlet.cfg":
#Default: true
#authentication.required = true

To get mod_opencast to run, protection of static must be switched off. This is a lack of security when the videos need to be protected.

[mtneug]

This is a known issue and documented (explicitly for ILIAS and Tobira but it's also true for mod_opencast). The currently proposed solution is a signed URL implementation based on JWT. See opencast/opencast#5334 and opencast/opencast#6177 for discussions on the Opencast side. The 24/25 crowdfunding campaign will pick up this topic and it also gained some traction recently amongst the Opencast adopters. So I'm sure this will be implemented over the coming months. Note that this will require work on the Moodle side as well.

[trueeh]

Matthias, thanks for taking care.
URL signing is not a solution for us, because it breaks playback via text and media area in Moodle.
But good to hear that implementation is imminent.

[mtneug]

URL signing is not a solution for us, because it breaks playback via text and media area in Moodle.

Can you elaborate? I'm not referring to the old URL signing implementation in Opencast. This is an entirely new implementation. And if the Moodle plugins follow suit, this should also work with the filter/repository plugins.

[trueeh]

The signed URL which ist embedded in text/media field looks like this:

.../static/mh_default_org/api/9561dd1c-fb28-4333-9072-ba6aa8315d7d/64f89659-8d6e-4cb7-a5ba-412667110580/MyVideo.mp4?policy=eyJTdGF0ZW1lbnQiOnsiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6MTcyODk5OTE1NTg0N30sIlJlc291cmNlIjoiaHR0cHM6XC9cL29jdGVzdC51bmktaGlsZGVzaGVpbS5kZVwvc3RhdGljXC9taF9kZWZhdWx0X29yZ1wvYXBpXC85NTYxZGQxYy1mYjI4LTQzMzMtOTA3Mi1iYTZhYTgzMTVkN2RcLzY0Zjg5NjU5LThkNmUtNGNiNy1hNWJhLTQxMjY2NzExMDU4MFwvVmlzaW9uel9Ba2l0X1ZpZGVvXzEubXA0In19&keyId=uhiKeyOne&signature=2cf15a167c28f938ac55517257dd52e7eb3a9e2f83534b7487cb120001626fe2

And the URL is only valid for a certain amount of time (and can additionally be restricted to the ip address) and then the video can no longer be played back.

[mtneug]

ok this is the old implementation. But in general, it's a similar idea. The URL is only valid for some time and the system needs to renew the token. In the new implementation, this would be done by Moodle.

[trueeh]

How can I get the new implementation? We are using Opencast 16.5 and Moodle 4.1.14 with plugin release v4.4-r1

[mtneug]

The new implementation does not exist right now. In my first post, I linked to the discussion in the Opencast community. Again, this is part of the 24/25 crowdfunding and will likely be implemented on the Opencast side in the near future. Moodle will need to follow.

[trueeh]

Ah ok, I thought I had overlooked something. Then we wait and look forward to the new implementation.

Thanks again for taking care, Matthias.

Best regards,
Hartmut