Web pages on the corporate intranet can be accessed by BlackBerry’s Mobile
Data Service (MDS) with the BlackBerry browser. Some sites on the intranet
require basic HTTP authentication before they are accessed, making it a bit
cumbersome for users to access them. As described in the BlackBerry knowledge
base article DB-00375, the Mobile Data Service can optionally include a
header with the device’s PIN and another with its email address for each HTTP
request originating on the MDS. Why not use that feature to protect your pages
by checking a list of device PINs, making it easier for BlackBerry device
users to access those pages? They will be grateful to you to not have to key
in their credentials at each visit. Since it is trivial to forge a header
utilizing a desktop browser, the internal web server on which the pages reside
should use access control to limit access to the TCP/IP address of the MDS
server. It may not be completely fool proof, but it certain will make the
pages extremely difficult to get at without a registered BlackBerry device. In
the sample below, I’ve set the HTTP header property on my MDS (and on the
simulator) to application.handler.http.header=email,pin
in order to be
supplied with both the PIN and the user’s email address, and I’ve set a domain
limitation for the MDS so that it only supplies these headers to my own
servers (I don’t want my user’s PIN or email address visible outside my
domain). For this restriction to work, I’ve defined the domain property to be
application.handler.http.header.domain=.+\.fupps\.com
. See the knowledge
base article for an example on how to set multiple domains. A trivial
PHP page running on an Apache server demonstrates the concept.
<?php
$pin = '2100000a'; # PIN number
if (!isset($_SERVER['HTTP_RIM_DEVICE_ID'])
|| $_SERVER['HTTP_RIM_DEVICE_ID'] != $pin)
{
header("HTTP/1.1 403 Forbidden");
print "Forbidden for PIN " . $_SERVER['HTTP_RIM_DEVICE_ID'];
exit;
}
$rim_mail = isset($_SERVER['HTTP_RIM_DEVICE_EMAIL']) ?
$_SERVER['HTTP_RIM_DEVICE_EMAIL'] : "undefined";
print "Welcome. Your email is $rim_mail";
exit;
?>
If all goes well, and the device PIN
corresponds to the one hard-coded in the script, the user will get the page:
whereas if the user is not allowed to view the page, an
HTTP header 403 (forbidden) is issued to the device. If the user clicks on
“details”, the error-message is shown:
Used carefully,
this can make your user’s BlackBerry experience even better when surfing
through your corporate intranet.