(topic moved from wrong forum)
Sorry if I'm not in the proper forum.
I believe there might be a security issue with acces to the /stream URI. On my setup (madsonic 5.0-3830) you can access it from anywhere without any authentication. Players like Jamstash uses /rest/stream.view, which looks correctly protected. The workaround I use for now is to comment out the servlet-mapping section for /stream in %madsonic-home%/jetty/3880/webapp/WEB-INF/web.xml, but that breaks the internal Web player because it does not seam to be using the REST API.
Can you confirm if whether or not there is a security issue here.