Bwirelezz mobile solutions

9.1 How can I protect certain WML pages/decks from unwanted users?

The WAP environment partially supports the protection of certain directories and files (and even commands) through the HTTP protocol. The system is identical to what you would use on a normal web page, and is known as Basic Authentication.

Note that some WAP emulators and virtual WAP browsers might not support this feature.

At this time it is not know if it is possible to use other types of authentication.

To enable this feature your HTTP server must support it, and most of them do. When a WAP browser requests a certain URL, it will prompt the user for a username and password. Both are lightly encoded to pad the characters, but not encrypted, which means that anyone "listening" in on the network with the right equipment can see your username and password.

The feature is well documented in the Apache distribution, but for the documentationally impaired, here's how to configure this on an Apache HTTP server:

Make sure that Apache is configured so that so called .htaccess files can override the global access settings. Access settings can be done in both separate files for each directory, or in the global access.conf file, but in this example we'll concentrate on the use of the .htaccess file. Located and edit the access.conf file and check the value for the AllowOverride setting. This should be set to AuthConfig which means that when Apache finds a .htaccess file in a directory, it will apply the access rules found in the file to that directory. Remember to reload Apache after changing the settings.

Next place a file in the directory you want to protect called .htaccess. (Note the dot at the start of the filename). The contents of a basic .htaccess file should be something like this:

AuthType Basic
AuthName "WAP FAQ Authentication Demo"
AuthUserFile /home/httpd/passwd/auth.passwd
require valid-user

The AuthType setting specifies the type of authentication, the AuthName specifies the realm, the AuthUserFile specifies the path to a password file, and the require setting specifies what is needed to gain access. In this case, any user present in the password file with the correct password.

Now you need to generate a password file, and since it's in a special format, Apache comes with a program called htpasswd to do this. Run the program like this:

# htpasswd /home/httpd/passwd/auth.passwd demo
New password:
Re-type password:
Adding password for user demo

NOTE! You must add the -c option to htpasswd the first time you create the file. Run htpasswd without any options to see the syntax.

You have now added a user called "demo" and typed in his password twice. Note that for security reasons, password files should NOT be placed below the document root like I've done in this example.

Now for the final part of testing, which I suggest you do with a HTML capable browser. Type in the URL for the directory you have protected, and a dialog box asking for username and password should appear. You are now ready to test with a WAP browser.

An example protected directory is available on this server for both HTML and WML browsers. The username for this is "demo" and the password is "demo".

This example is also available at the much-easier-to-type URL of DEMO

Or, you can just click here for the protected area     
and click here to see the .htaccess file used in this example (Note that this file has another name for example purposes).

[ Main ]   [ 09 - Security ]