• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

URL encoding in Java

 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

From my Java application (JSF 2.0) I am doing a redirect to an external URL which has some credentials as a part of the URL string. I would like to encode the credential part alone before redirection. My code currently is


The URL generated by this code is


As we can see towards the end of the encoded URL, only the special characters like "/" have been encoded. i.e.

from userid=username/passwd@DBname to userid=%3Dusername%2Fpasswd%40DBname

I want to generate a URL which will have the the entire string "username/passwd@DBname" encoded . Something like :

userid=%63%64Please let me know if there is any way in Java to achieve this
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
First off, URL encoding is a way to make characters that might not be safe to put into an URL safe for doing so. It does not alter characters which are safe to begin with (like characters and numbers). So if your aim is to obscure part of the data, then URL encoding is not the right way to do it. (Of course, since you want to put the data into an URL, you still need to URL-encode all of it, since that's what URL-encoding is all about.)

You didn't say so specifically, but I'm assuming that want to protect the credentials from 3rd parties. No kind of encoding can do that, because encodings can be easily reversed. What you need is encryption, using a cipher like AES or DES. And since those give you raw bytes of data, you will need to encode those with something like base-64 so you can put them into an URL. IMO it's still not a good odea to put credentials into URLs, because URLs end up in all sorts of places -HTTP caches, browser histories, server access logs etc.- where you wouldn't want a password (even in encrypted form) to be stored long term.

I could go into more detail on all of this, but I want to make sure first that this is indeed what you intend to do, and that you understand the problems of encodings, and credentials in URLs in general.
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Just to reinforce what Ulf said, when I see a string that reads like "63 6C 6D 63 64 6D 64 ...", I start decoding it in my head. I've been working with ASCII (and EBCDIC) so long that half the time I don't even need a chart. Using the hex equivalents just barely slows me down.

If you want true security, encoding URLs isn't going to give it to you.
 
Divya Sudarsan
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks all for the replies. I do not want true security here as the application demands so. I just want to hide the credentials from the user in a way that the target server of the redirect understands. I got it resolved by converting the string to Hex.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I would argue that this is worse than not obscuring the credentials at all. It creates a sense of security for those who don't understand what's going on, without actually creating any security. This is what Bruce Schneier calls "security theater", and it's not a good idea, no matter how much of it is happening all around us.
 
reply
    Bookmark Topic Watch Topic
  • New Topic