5 Servlets in the Nokia WAP Server

This chapter gives a more technical description of the dynamics of a servlet in the Nokia WAP Server.

5.1 The life cycle of a servlet

Servlets are loaded dynamically by the Nokia WAP Server. The loading is done using the normal Java class loading and initialisation facilities. The Nokia WAP Server loads the servlet when the server starts or when the servlet is installed.

After the loading, the following three main methods are involved in the life cycle of the servlet:

Servlets are activated by the Nokia WAP Server through an init() call. Servlets are likely to provide their own implementation of this method to perform the possibly slow and costly initialisation of the servlet only once, rather than once per request. With the init() call, the servlet receives the configuration information (ServletConfig). The Nokia WAP Server provides a user interface for editing and maintaining these configuration settings.

After the initialisation, the servlets handle many requests. Each terminal request generates one service() method call. These requests can be concurrent.

The request processing goes on until the Nokia WAP Server explicitly shuts down the servlet by calling the destroy() method.

The Nokia WAP Server provides a "reload servlet" functionality for the administrator. The servlets see this as a destroy() call for the current servlet instance, followed by the creation of a new instance and an init() call for it. If the configuration of the servlet is changed, the updated configuration is provided in the init() call for the new instance.

5.2 Security

The Nokia WAP Server is responsible for an end-to-end security solution for the servlets. The Nokia WAP Server takes care of all the security issues and a servlet does not have to implement anything in order to be accessed securely. This chapter describes how a servlet can know the level of security and the authentication method that the Nokia WAP Server has used to identify the servlet user.

The Nokia WAP Server also has access control features that are not visible to the servlets. These features contain URL based access control and terminal access control. Terminal access control means that the Nokia WAP Server can be accessed only with defined terminals. For a detailed description of the Nokia WAP Server security and access control features, see the Nokia WAP Server product information.

5.2.1 WAP security protocol (WTLS)

The Nokia WAP Server supports the WAP security protocol, which provides the following security features:

Content encryption
Content integrity
Server authentication using certificates

The level of security varies depending on the algorithms used. The algorithms are selected by the Nokia WAP Server administrator. With the WapRequest.getSecureClass() method, a servlet can query the security class that is used by the WTLS security. If the WTLS protocol is not used at all, the method also returns the information about that. Nokia WAP Server administrator selects the server certificates to be used.

Note:

A WAP service author has no way of influencing when WTLS is used and when it is not used. The terminal decides when to use WTLS : it might use it always or it may have a user option for that. Also, an HTTPS scheme in the WML deck has no influence on whether WTLS is used or not. It is up to the Nokia WAP Server or the servlet to allow or

Servlets in the Nokia WAP Server

disallow communication to origin servers or to a local application when WTLS is not used.

In case high security is needed, the most important thing is to have WTLS security between the WAP terminal and the Nokia WAP Server hosted by the trusted party (the company itself). Then the connection from the Nokia WAP Server to the origin server within the trusted domain can be implemented over plain HTTP.

5.2.2 Nokia WAP Server user authentication

The Nokia WAP Server applies user authentication if so requested by the Nokia WAP Server administrator. The user authentication can be applied with OR without using the WTLS protocol. The user authentication can be done in the following ways:

Using the HTTP proxy authentication protocol [4]. The Nokia WAP Server user database contains the users and their passwords. The Nokia WAP Server uses the Basic authentication scheme for the proxy authentication.
Using terminal address information. For each user, the administrator can define a set of terminal addresses (MSISDN numbers), which can be marked as "trusted" MSISDN numbers.

Servlets have access to the authentication information, which contains the following items: who the authenticated user is and how the authentication was done.

WapRequest.getAuthenticationType() returns which of the above mentioned authentication types was used. If the authentication is not done, user information is not available with the other functions.

WapRequest.getUserId() provides the Nokia WAP Server specific ID of the authenticated user. The ID can be used to access information via the UserDirectory interface.

WapRequest.getUserName()provides the Nokia WAP Server username of the authenticated user if it is available.

HttpServletRequest.getRemoteUser() provides the user's Nokia WAP Server username only if the user has been authenticated with proxy authentication.

HttpServletRequest.getAuthType() returns the proxy authentication scheme that was used for the authentication.

When the WTLS protocol is used, HTTP proxy authentication is a very reliable way of authenticating users.

If a servlet requires separate user authentication, it may use the HTTP authentication for its own purposes. For details, see [4].

Programmer's Guide Nokia WAP Server API 1.1 page 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17

previous || guide home || next