Java Reference
In-Depth Information
// Send a response to the client.
response.setContentType("text/plain");
response.setContentLength(message.length());
PrintWriter out = response.getWriter();
out.println(message);
}
private String lookupPassword(String user) {
// Here you could do a real lookup based on the user name.
// You might look in a text file or a database. Here, we
// just use a hard-coded value.
return "happy8";
}
private boolean isEqual(byte[] one, byte[] two) {
if (one.length != two.length) return false;
for (int i = 0; i < one.length; i++)
if (one[i] != two[i]) return false;
return true;
}
}
The basic procedure is to pull the parameters out of the request from the MIDlet, and then
independently calculate the message digest value. The servlet looks up the user's password in
the
lookupPassword()
method. In a more serious implementation, the servlet would probably
look up the password in a database of some sort.
Once the servlet figures out the user's password, it pumps the user name, password, time-
stamp, and random number into a message digest. Then it calculates the message digest value
and compares this result with the digest value that was sent from the MIDlet. If the digest values
match, the MIDlet client is authenticated.
Suggested Enhancements
One obvious enhancement to this system is to actually retrieve passwords (on the server side)
from a database or password repository of some sort.
Furthermore, the servlet needs to validate the timestamp it receives from the client. Every
time a user tries to log in, the servlet should make sure that the user's timestamp is greater than
the timestamp from the user's previous login attempt.
One possible enhancement on the client side is to store the user's name and password in
a record store so that they can be automatically sent with each login attempt. Normally this
might seem like a bad idea. But small devices are generally kept physically secure by their
owners—you try to keep your mobile phone in your possession at all times, or you lock it up
somewhere. It's a trade-off between convenience and security. But just considering how diffi-
cult it is to enter text on a mobile phone keypad, you might want to give your users the
convenience of using a stored name and password.
Search WWH ::
Custom Search