From my Java application (JSF 2.0) I am doing a redirect to an external URL which has some credentials as a part of the URL string. I would like to encode the credential part alone before redirection. My code currently is
The URL generated by this code is
As we can see towards the end of the encoded URL, only the special characters like "/" have been encoded. i.e.
from userid=username/passwd@DBname to userid=%3Dusername%2Fpasswd%40DBname
I want to generate a URL which will have the the entire string "username/passwd@DBname" encoded . Something like :
userid=%63%64Please let me know if there is any way in Java to achieve this
First off, URL encoding is a way to make characters that might not be safe to put into an URL safe for doing so. It does not alter characters which are safe to begin with (like characters and numbers). So if your aim is to obscure part of the data, then URL encoding is not the right way to do it. (Of course, since you want to put the data into an URL, you still need to URL-encode all of it, since that's what URL-encoding is all about.)
You didn't say so specifically, but I'm assuming that want to protect the credentials from 3rd parties. No kind of encoding can do that, because encodings can be easily reversed. What you need is encryption, using a cipher like AES or DES. And since those give you raw bytes of data, you will need to encode those with something like base-64 so you can put them into an URL. IMO it's still not a good odea to put credentials into URLs, because URLs end up in all sorts of places -HTTP caches, browser histories, server access logs etc.- where you wouldn't want a password (even in encrypted form) to be stored long term.
I could go into more detail on all of this, but I want to make sure first that this is indeed what you intend to do, and that you understand the problems of encodings, and credentials in URLs in general.
Just to reinforce what Ulf said, when I see a string that reads like "63 6C 6D 63 64 6D 64 ...", I start decoding it in my head. I've been working with ASCII (and EBCDIC) so long that half the time I don't even need a chart. Using the hex equivalents just barely slows me down.
If you want true security, encoding URLs isn't going to give it to you.
An IDE is no substitute for an Intelligent Developer.
Joined: Feb 16, 2010
Thanks all for the replies. I do not want true security here as the application demands so. I just want to hide the credentials from the user in a way that the target server of the redirect understands. I got it resolved by converting the string to Hex.
Joined: Mar 22, 2005
I would argue that this is worse than not obscuring the credentials at all. It creates a sense of security for those who don't understand what's going on, without actually creating any security. This is what Bruce Schneier calls "security theater", and it's not a good idea, no matter how much of it is happening all around us.