P1: IML
Cassel WL040/Bidgoli-Vol III-Ch-65 September 15, 2003 8:52 Char Count= 0
WIRELESSMARKUPLANGUAGE 813The format mask allows minor validity checking of user
input. Although the wml code can do no processing, it can
filter input so that only items matching the expected for-
mat are permitted. To check for reasonableness of values
entered, the code must be supplemented with process-
ing. Processing can be done by sending the data back to a
server or by embedding script in the page itself. Sending
data to a server involves the use of forms.Forms
Forms in WML are closely related to forms in HTML.
Users enter data that are transmitted to a server where
the data become input to a process running on the server.
The form contains text that describes the input needs
of the application and explains to the user how to pro-
vide the needed information. Types of form elements for
collecting data includeInput elements, with type either text or password, and
a text input area. If the type is password, the data are
not displayed during entry. If type is text, the characters
are displayed as they are entered.
Select elementswith their options.
Input elementswithout text input areas have either
type = checkboxortype = radio.
Input elementscorresponding to button controls have
type = submitortype = reset.
Input elements withtype = hidden are not dis-
played for the user to see, but provide data for pro-
cessing at the server.Clearly, the size of the display device will influence
the design of effective forms. Generally, text input should
be avoided unless essential. Descriptions and instructions
must be kept short. Checkboxes, radio boxes, and selec-
tion lists will be easiest for the user and thus most likely
to provide correct information to background processes.
Most forms will require several screens to provide instruc-
tion to the user and adequate display of the information-
gathering elements of the form. A significant challenge
for the WAP application developer is to think in terms of
small units of information presentation at any time, using
the scarce real estate of the screen to best advantage.
Forms processing occurs in the same way that it does
for traditional HTML forms. Form data are presented as-
sembled and transmitted to a server process as input to
a program. There is a difference in that a WAP proxy
gateway will generally be in the communication path.
This allows development of back end processing, whether
through CGI scripts, Java server pages, or other technolo-
gies, without conscious thought about the restrictions as-
sociated with the small wireless devices. Output from the
processing is then converted to a form suitable for display
on the WAP client and forwarded through the gateway.
The involvement of extra entities in the communication
and service steps allows efficient development of applica-
tions to serve both standard and small-screen devices, but
introduces an extra layer of security concern.Security
There are four aspects to security in general network com-
munications:Privacy.Content is visible only to the intended recipient
and both parties have confidence that privacy is protected.
This is addressed with various levels of encryption. The
degree of confidence required will be weighed against
processing costs to determine the appropriate level of
encryption to use.Integrity.Content is not modified between leaving the
sender and arriving at the recipient’s device. Digital signa-
tures allow document to be verified as being the same as
was transmitted. A hash code is computed over the doc-
ument and sent as part of the signature. If the hash code
check on the recipient side does not produce the correct
results, the document has been modified.Authentication.The sender’s identity can be verified with
a very high degree of confidence. Passwords, authentica-
tion, and digital signatures identify the originator.Nonrepudiation.The sender cannot later deny having
sent the information. Digital signatures are the primary
tools for binding the sender to the document or resource
as sent.
The WAP architecture includes a wireless transport
layer security specification, which includes a view of the
wireless network access environment as shown in Fig-
ure 11. The figure shows both pull and push proxies. Net-
work access is achieved in one of two modes: push or
pull. Pull access is initiated by the client and causes in-
formation to be provided in response to a request. This
is the familiar request/response scenario of most Web ac-
cess. Push access is initiated by the sender. This involves
a message delivered to the client without an explicit re-
quest from the client. Some examples of push technology
are familiar: pagers, Short Message Service, and e-mail
notification, when a user has signed up for the notifica-
tion service. The user chooses this form of intrusion in
order to remain aware of new activities or special offers.
Additional push services are anticipated as the wireless
Web develops.
End-to-end security is accomplished in the wired Web
through secure socket layer (SSL) encoding. In that ap-
proach, a secure link is created end to end between the
sender and the receiver. Intermediate processing units,
such as routers, do not see the content of the message
and only participate in routing the message from source
to destination.
In the wireless Web, things are more complex. The
client and server usually do not communicate directly, but
rely on proxy or gateway machines to provide necessary
translation and retransmission services. The proxy inter-
venes between the WAP-enabled wireless device and the
TCP/IP and HTTP process-enabled server. Thus, security
questions must include the degree of trust between the
content provider and the gateway and between the client
and the gateway, as well as between the client and the
content provider.
WAP includes WTLS, wireless transport layer secu-
rity. WTLS is used to provide secure service between a
client device and its pull gateway. WTLS is used for server
authentication. Client authentication, when required, is
left to existing mechanisms. Nonrepudiation is left to the