UP.SDK Developer's Guide

[Cover] [Previous Section] [Next Section] [Index]

Current chapter: Doing More with WML
Section 15 out of 61 total sections , Section 3 out of 6 sections in this chapter

Defining access control

All WML decks are public by default. Whenever you access a URL, you gain access to any variables it uses, creating a potential security risk. To control this risk, you can define access control rules on a per-deck basis. To specify which decks (in other words, URLs) can access a particular deck, you must specify an <access> statement in the deck header. The following is a synopsis of the <access> element:


Using the domain and path attributes

The default access control settings allow all decks (URLs) in the same domain to access your deck. You generally do not need to change the default settings unless:

When you specify values for these attributes, the UP.Browser compares those values to the URL of the requesting deck. The domain and path attributes are inclusive, meaning that the requesting deck must match both values in order to access the deck.

NOTE     You cannot specify multiple values for either the domain or path attributes. You must specify domain=".com" if you want to grant access to more than one domain (for example, both sun.com and microsoft.com). Similarly, you must specify path="/" to grant access to both the /foo and /bar directories.

The following table summarizes the effects of specifying different values for the domain and path attributes for a deck located at http://my.com/deck.wml:

DOMAIN   PATH   URLs that can access deck.wml  URLs that cannot access deck.wml 

default 

default 

Examples: 

http://my.com/d1.wml
http://www.my.com/d2.wml
http://my.com/dir/d3.wml  

Examples: 

http://foo.com/d1.wml
http://bar.com/d2.wml  
foo.com  

default 

Examples: 

http://foo.com/dir/d1.wml
http://www.foo.com/d2.wml  

Examples: 

http://my.com/d1.wml
http://bar.com/d2.wml  
www.foo.com  

default 

Examples: 

http://www.foo.com/dir/d1.wml
http://d.www.foo.com/d2.wml  

Examples: 

http://my.com/d1.wml
http://bar.com/d2.wml
http://foo.com/d3.wml  

default 

/dir  

Examples: 

http://my.com/dir/d1.wml
http://my.com/dir/dev/d2.wml  

Examples: 

http://my.com/d1.wml
http://my.com/test/d2.wml
http://foo.com/dir/d3.wml  
foo.com  
 /dir  

Examples: 

http://foo.com/dir/d1.wml
http://foo.com/dir/dev/d2.wml  

Examples: 

http://my.com/dir/d1.wml
http://foo.com/d2.wml  

When you specify a domain value, the UP.Browser performs a literal string match between the domain of the requesting deck and that value--it does not resolve names or aliases into canonical domain names. For example, if you specify domain="204.163.167.193" for your deck, a deck in the domain devgate2.uplanet.com will not have access to your deck, even if devgate2.uplanet.com is an alias for 204.163.167.193. In this case, the UP.Browser must have loaded the requesting deck from the URL http://204.163.167.193/path in order for it to access your deck.


Navigating to other decks

As illustrated in Figure 2-7, the default access control settings let you navigate from your deck to any other URL in the same domain.

Figure  2-7.     Navigating between decks in the same domain

The UP.Browser displays an error message, however, if you try to navigate to a deck in a different domain (see Figure 2-8).

Figure  2-8.     Error navigating between decks in different domains

NOTE     Pressing the OPTIONS key displays the message Access Control Error.

In order for deck1.wml to access deck2.wml in this example, you must use the domain attribute to grant access to mydomain.com (as shown below).

Figure  2-9.     Allowing navigation between decks in different domains

[Cover] [Previous Section] [Next Section] [Index]

Copyright © 2000, Phone.com Inc. All rights reserved.
Please send comments and questions to doc-comments@corp.phone.com.