It doesn’t require you to write elaborate JWPlayer plugin. One way or another, you MUST generate the JWPlayer code on the web server side. Basically, you MUST "render" the HTML code that is going to hit the client side. At that stage in time, instead of using a hardcoded well-known stream name, you need to create a random one and also inform EMS about it via HTTP CLI command. Nothing changes in the JWPlayer. you can use any stock JWPlayer. That alias name is going to be one-shot. That means that after is been used, is not good again.That means that absolutely nobody else except your site can generate VALID stream names and authorise clients to view streams.
I want to point out that you can trick FMS or any other RTMP server (including EMS) if you only relay on swfUrl and a list of servers allowed. You can even trick swf validation via RTMPE and there is absolutely nothing you can do about that. Look at rtmpdump for example. Is mathematically impossible to overcome this problem because all encryption algorithms are based on well-known keys. Basically, is just security through obscurity. Nothing more than just a matter of calling rtmpdump with the proper arguments
Having stream aliasing is not perfect either, but at least is something that you can efficiently control via web server side code (analyse the source IP, validate a cookie, authenticate with username/password, etc)