Wrench Release notes


  • built using JDK 9 targeting Wowza 4.7.8


  • deprecated wrench.jdbc.driver setting, as modern JDBC drivers self-register. The database driver is determined based on the JDBC URL
  • error handling added to the scenario where the database pool is depleted. Wrench passes over connections in this scenario to avoid bad user experience.


  • publication events sent out to external webservices now contain the webrtc flag (isWebRTC)


  • wrench.switchable.public.mode.filtering
  • wrench.http.streamer.request.ignore.token
  • "constant" as a valid public mode setting
  • HTTP request rate limiting feature with DB logging and/or dropping clients exceeding request limit (prevents certain "download helpers")
  • IP and query string taken from requests not only from session when http streamer request checking is enabled


  • Fixed a bug where the UI was not accessible in certain cases
  • Initial WebRTC support


  • REST API for programmatically kicking out a Wowza session based on username or session ID
  • Supports multiple applications spinning up the web interface without interference


  • Redirect to preconfigured video if token is missing or authentication fails: wrench.auth.failed.video.http.url
  • Fixed a bug where the UI was not saving certain numeric values properly
  • Support for Wowza behind proxy server: the IP address can be overridden by arbitrary configured HTTP header, e.g. X-Forwarded-For with wrench.ip.override.http.header setting
  • Bitrate limitation: token resolution can now return a bitrate limit for the user which is if exceeded, Wrench disconnects the user
  • Fixed a bug where the token was not properly parsed out from certain MPEG-DASH requests


  • Added support for the http streamer request checking feature for MPEG-DASH
  • Database connection is tested upon startup
  • Minor logging tweaks
  • Fixed occasional NPE when the stream was rejected
  • Fixed the bug where certain SQL exceptions got logged as NPE hiding the root cause
  • Removed slf4j from the build
  • New option: wrench.dbcp.max.idle.size that allows more control on the connection pool
  • Fixed duplicate Content-Type header issue on certain outgoing messages that caused problems on IIS


  • Web user interface for configuration and management (list sessions, kick user)
  • IP parameter available in token resolver query
  • Java 8 is mandatory
  • applicationName and applicationInstanceName available in MDC (so you can display it in your log4j configuration)
  • Introduced wrench.server.logical.name (available in lifecycle hooks as parameter)
  • IP bypassing also supports subnets with CIDR notation


  • Stream name and session id available as parameter in the disconnect SQL hook
  • New convencience parameter: wrench.bypass.publish.allowed


  • Fixed the HTTP Accept header of outgoing POSTs, they are now application/json


  • Configuration fully cleared out after reading it on startup, to address a security issue


  • Fixed java.lang.NullPointerException at certain circumstances in the PPM engine


  • IP address is also available in token resolver webservice request
  • wrench.force.secure.transport option to force secure transport


  • Introduced webservice based token resolution mechanism
  • Optional encoder flag checking upon publishing
  • New attribute "eventType" in the JSON messages sent upon play and publish, that helps decision in the auth webservice
  • Fixed Content-Type headers in the outgoing JSON messages, application/json; charset=UTF-8 has been added


  • Fixed a bug in drop duplicate mechanism that caused dropping the newcomer instead of an existing player
  • PPM/PPV HTTP event publishing feature
  • wrench.duplicate.check.sql allows concurrency checking in multi-edge setup
  • Repackaging from com.wowzatoolbox to com.streamtoolbox


  • wrench.bypass.ip option allows specifying a list of IP addresses that can bypass any check. This can be used for some hardware encoders that don't allow passing the token
  • wrench.connect.authorization.url allows hooking up external webservices that are asked if the current connection should be accepted or not


  • New lifecycle hook wrench.duplicate.drop.sql
  • wrench.http.streamer.request.check.enable option to validate every single HTTP request received (only works with Wowza Streaming Engine 4.1.x)


  • wrench.rtp.check.enable switch allows disabling the RTP protocol checking which is needed if using IP cameras
  • Fixed a bug that caused wrong concurrency limit calculation, had to set n+1 if you wanted n
  • Released wrench.duplicate.drop.other toggle for kicking off existing user if a new user comes with the same username over the limit


  • Introduced plain as an option for wrench.token.hasher to support users who deliberately want less security
  • Added encoder as a SQL parameter in wrench.connect.authorization.sql


  • Introduced wrench.http.referrer.whitelist and wrench.http.referrer.blacklist features that allow limiting player access based on this HTTP header
  • Introduced wrench.verbose.logging switch that is on by default, but if switched off, the amount of logging is reduced
  • Publish stream events (start, stop, play, pause) by calling arbitrary HTTP endpoint POSTing JSON messages


  • Introduced wrench.user.agent.whitelist and wrench.user.agent.blacklist features


  • Introduced wrench.publish.authentication.query which enables per stream / per user permission checking upon RTMP and RTP publishing
  • Allow using :username in token invalidation query
  • Fixed NPE when RTP client starts streaming from Wowza GoCoder on iPhone
  • Fixed query param parsing, trailing slashes are now handled properly


  • Added :hashedtoken parameter to PPM/PPV sql queries
  • The client type (is encoder or not) can be determined by the token resolver query's new optional return column
  • Better error handling in the monitor job
  • Fixed a bug that prevented PPM queries to be executed in case of Flash clients and VOD


  • Added :stream as a parameter to wrench.connect.authorization.sql, so per stream user authentication is possible


  • Fixed a bug that caused wrench.connect.authorization.sql not to work under certain conditions


  • Fixed a bug that caused concurrency checking mechanism not being configured properly under certain conditions
  • Minor improvements in logging


  • Dynamic public/secured mode switching via file or SQL query based switch
  • Minor bugfixes


  • Added support for RTP and MPEG-DASH streaming
  • New DBCP parameters can be configured (maxWaitTime, etc.)
  • New lifecycle hook wrench.ppm.disconnect.sql that allows dynamically dropping players if their PPM balance goes down
  • Bugfix: token invalidation query was not performed if logging was not on debug level
  • Free version's player limit decreased to 25 (sorry)


  • Added support for HTTP based streaming such as San Jose, Cupertino and Smooth streaming
  • Concurrent playing is cross-checked between RTMP and HTTP based streams


  • Token IP address checking
  • Token expiration time checking
  • Duplicate player filtering


  • Bugfix
  • Param substitution changed from pure JDBC to :param style for the update sql run when disconnect


  • Easier SQL parameter binding everywhere by using the :paramname notation instead of ? marks
  • No need to add any external dependencies to lib manually except the JDBC driver, everything is packed into a single fat jar


  • Introduced pay-per-minute and pay-per view features


  • Initial launch of Wowza Wrench with the basic user authentication and SQL hook based authorization functionality.