Skip to main content

Authorization when calling a Servlet from a Midlet?

2 replies [Last post]
casjen
Offline
Joined: 2007-12-05

Hi there,

at first I've got to thank Tim and Terrence and of course all other helpers for the really great sessions on the mobile track on the Sun Tech Days in Frankfort.

I am developing JavaME for a few month now and NetBeans 6.0 is the best IDE I have ever used not only for JavaME! On the mobility track was shown how to build a "mobile client to web application" with NetBeans. Before i knew this possibilty i createtd a servlet on the serverside and the client on the mobile phone by hand. Now i use the automatic generation and both ways works really fine.

I must admit, that i am not really firm with authorization methods and LDAP Realms and so on.
What i am doing currently is to use a login screen on the mobile phone, encrypt the username and pasword, pass it to the servlet on the server and check it aggainst the database. That means i am storing the username and password in my database and i have to maintain it there.
My server apllication provides a number of servlet for my mobile application. Using my JavaME app on a real phone means to provide the servlets via the internet.
To ensure, that only allowed users call my servlets via internet i check username and password every time a servlet is called.
My question is, if there is another way to authorise the mobile phone user aggainst my server application? I thaught abbout using the imei as a identification number because it is unique. But I am sure, that this is not the only way.
Is there any mechanism in JavaME to authorize easily when calling a servlet? I have the opportunity to use an existing LDAD server in our netwotk and i know how to configure my servlet container with a security realm for this server. But what will my Midlet do, if the servlet is under such a security realm?

thanks a lot for all answer!

Casjen

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
jozart
Offline
Joined: 2003-11-23

username & password is typically what is used. (GMail MIDlet, for example.)

If you need a secure channel you can try https, or create your own with the bouncycastle tools.

IMEI might work, but it often isn't available in the wild.

I gather, however, that you're doing something for the corporate web.

Have you considered having your users authorize in a web browser before they obtain the MIDlet from your server? The server can add the authorization codes to the MIDlet's JAD file before delivery. After authorization, your server can send an SMS to the handset with a link to the preauthorized MIDlet in the body of the message. When the user receives the SMS, they select the link to install the MIDlet. (This works on many but not all handsets.)

--
Joe Bowbeer

terrencebarr
Offline
Joined: 2004-03-04

Casjen,

Glad you enjoyed Tech Days!

As for your question ... I am not a security expert myself but I complied some resources in our Wiki:

http://wiki.java.net/bin/view/Mobileandembedded/SecurityResources

Most of these come from the Sun Developer Network, which has a number of articles on different topics:

http://developers.sun.com/mobility/

I think SATSA (JSR 177) might be a solution for you. Have a look at let me know. I might be able to contact some folks here at Sun to find out more.

Greetings,

-- Terrence