aspose file tools*
The moose likes JSF and the fly likes URL encoding in Java Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Java » JSF
Bookmark "URL encoding in Java" Watch "URL encoding in Java" New topic
Author

URL encoding in Java

Divya Sudarsan
Greenhorn

Joined: Feb 16, 2010
Posts: 9
Hi,

From my Java application (JSF 2.0) I am doing a redirect to an external URL which has some credentials as a part of the URL string. I would like to encode the credential part alone before redirection. My code currently is


The URL generated by this code is


As we can see towards the end of the encoded URL, only the special characters like "/" have been encoded. i.e.

from userid=username/passwd@DBname to userid=%3Dusername%2Fpasswd%40DBname

I want to generate a URL which will have the the entire string "username/passwd@DBname" encoded . Something like :

userid=%63%64Please let me know if there is any way in Java to achieve this
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39544
    
  27
First off, URL encoding is a way to make characters that might not be safe to put into an URL safe for doing so. It does not alter characters which are safe to begin with (like characters and numbers). So if your aim is to obscure part of the data, then URL encoding is not the right way to do it. (Of course, since you want to put the data into an URL, you still need to URL-encode all of it, since that's what URL-encoding is all about.)

You didn't say so specifically, but I'm assuming that want to protect the credentials from 3rd parties. No kind of encoding can do that, because encodings can be easily reversed. What you need is encryption, using a cipher like AES or DES. And since those give you raw bytes of data, you will need to encode those with something like base-64 so you can put them into an URL. IMO it's still not a good odea to put credentials into URLs, because URLs end up in all sorts of places -HTTP caches, browser histories, server access logs etc.- where you wouldn't want a password (even in encrypted form) to be stored long term.

I could go into more detail on all of this, but I want to make sure first that this is indeed what you intend to do, and that you understand the problems of encodings, and credentials in URLs in general.


Ping & DNS - updated with new look and Ping home screen widget
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15632
    
  15

Just to reinforce what Ulf said, when I see a string that reads like "63 6C 6D 63 64 6D 64 ...", I start decoding it in my head. I've been working with ASCII (and EBCDIC) so long that half the time I don't even need a chart. Using the hex equivalents just barely slows me down.

If you want true security, encoding URLs isn't going to give it to you.


Customer surveys are for companies who didn't pay proper attention to begin with.
Divya Sudarsan
Greenhorn

Joined: Feb 16, 2010
Posts: 9
Thanks all for the replies. I do not want true security here as the application demands so. I just want to hide the credentials from the user in a way that the target server of the redirect understands. I got it resolved by converting the string to Hex.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39544
    
  27
I would argue that this is worse than not obscuring the credentials at all. It creates a sense of security for those who don't understand what's going on, without actually creating any security. This is what Bruce Schneier calls "security theater", and it's not a good idea, no matter how much of it is happening all around us.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: URL encoding in Java
 
Similar Threads
redirect without http:// or http: ecc
Tomcat Connection pool creating too many connections, stuck in sleep mode
Oracle Report Service Error
JSF 2.0 , passing URL hidden parameters in ExternalContext.redirect() programmatically
Question about <c:param> in JSTL