Authorizing Web Access by PIN

Web pages on the corporate intranet can be accessed by BlackBerry’s Mobile Data Service (MDS) with the BlackBerry browser. Some sites on the intranet require basic HTTP authentication before they are accessed, making it a bit cumbersome for users to access them. As described in the BlackBerry knowledge base article DB-00375, the Mobile Data Service can optionally include a header with the device’s PIN and another with its email address for each HTTP request originating on the MDS. Why not use that feature to protect your pages by checking a list of device PINs, making it easier for BlackBerry device users to access those pages? They will be grateful to you to not have to key in their credentials at each visit. Since it is trivial to forge a header utilizing a desktop browser, the internal web server on which the pages reside should use access control to limit access to the TCP/IP address of the MDS server. It may not be completely fool proof, but it certain will make the pages extremely difficult to get at without a registered BlackBerry device. In the sample below, I’ve set the HTTP header property on my MDS (and on the simulator) to application.handler.http.header=email,pin in order to be supplied with both the PIN and the user’s email address, and I’ve set a domain limitation for the MDS so that it only supplies these headers to my own servers (I don’t want my user’s PIN or email address visible outside my domain). For this restriction to work, I’ve defined the domain property to be application.handler.http.header.domain=.+\.fupps\.com. See the knowledge base article for an example on how to set multiple domains. A trivial PHP page running on an Apache server demonstrates the concept.

<?php
  $pin = '2100000a'; # PIN number

  if (!isset($_SERVER['HTTP_RIM_DEVICE_ID'])
     || $_SERVER['HTTP_RIM_DEVICE_ID'] != $pin)
  {
	header("HTTP/1.1 403 Forbidden");
	print "Forbidden for PIN " . $_SERVER['HTTP_RIM_DEVICE_ID'];
	exit;
  }

  $rim_mail = isset($_SERVER['HTTP_RIM_DEVICE_EMAIL']) ?
  $_SERVER['HTTP_RIM_DEVICE_EMAIL'] : "undefined";

  print "Welcome. Your email is $rim_mail";
  exit;
?>

If all goes well, and the device PIN corresponds to the one hard-coded in the script, the user will get the page: Access granted whereas if the user is not allowed to view the page, an HTTP header 403 (forbidden) is issued to the device. If the user clicks on “details”, the error-message is shown: Access forbidden Used carefully, this can make your user’s BlackBerry experience even better when surfing through your corporate intranet.

<Earlier Later>
BlackBerry and Apache :: 23 Aug 2006 :: e-mail