Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to emulate HTTPS POST done in a form in a Java application

Posted on 2000-02-14
9
Medium Priority
?
400 Views
Last Modified: 2012-05-04
Hi,

I need to emulate in my Java application the POST request done from a form via HTTPS.  The information being posted must be secure because it contains credit card information. Here is what I have so far:


// Open an HTTPS connection
URL url = new URL("https://myhost.com/secure/verify");
URLConnection conn = url.openConnection();
conn.setDoOutput ( true );
conn.setDoInput ( true );

// Sending information through HTTPS: POST
String postRequest = "credit_card=1234567890&exp_date=1102";
OutputStreamWriter osw = new OutputStreamWriter(connection.getOutputStream());
osw.write(postRequest, 0, postRequest.length());         // Do I need to encrypt the string postRequest?
ostream.close();
String authMsg = getInputData(connection);


A web server uses this application to verify the credit card information submitted by on-line customers.  The opened URL location is a credit card verification site.  An appropriate message is then displayed to the customers depending on the result of the verification.  Using a web browser to do this is not an option.  

I have no problem establishing the HTTPS connection.  My question is this:

Even if this is an HTTPS connection, is it necessary for me to encrypt the string that represents the post request before it is being sent (see postRequest above)?  If so, what encryption mechanism and java method should I use?

Thank you.
Chien

0
Comment
Question by:rwdt123
  • 4
  • 3
  • 2
9 Comments
 
LVL 5

Expert Comment

by:mbormann
ID: 2521601
Hello there,

I dont think it's necessary to encrypt the info as u r already running under SSL ,but if it's desired to have more security u canlook at this question.

http://www.experts-exchange.com/jsp/qShow.jsp?ta=java&qid=10235838 

Use the code given at the end.
0
 
LVL 1

Accepted Solution

by:
yoni99 earned 600 total points
ID: 2524525
The SSL connection should supply the security level you need, it includes data encryption and authentication. I'm not sure what you are using - it doesn't look like an SSL session to me.
I said "should" becouse the recommended strength is 128 bits key for the encryption process, you should check if this is what the SSL session provides you.
If you think you need more you can try the JCE package from SUN, it has some encryption algorithms.
0
 

Author Comment

by:rwdt123
ID: 2524609
I left out a code segment that precedes what I've listed.  The code enables HTTPS prior to opening the connection.  

if (Class.forName(
"com.ms.net.wininet.WininetStreamHandlerFactory" )!=null)

    URL.setURLStreamHandlerFactory(
        new com.ms.net.wininet.WininetStreamHandlerFactory());


The Java code will be compiled using J++.  (I know, this is not pure Java).  I believe the stream handler factory gives me the ability to handle HTTPS and use SSL.  Is that a good assumption?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Expert Comment

by:yoni99
ID: 2525996
According to microsoft it gives you the ability to handle HTTPS connection, your assumption is correct.

The SSL protocol provides anything you need, only problem is to check what encryption strength you get from this connection.
The recommended strength is to have 1024 bits key for RSA (public key) and at least 128 bits for symmetric key. Since I didn't find the documentation of the package I can't tell you the strength of encryption you can get, keep in mind that the server you are connecting is usualy the one that agree on the strength.
If you are connecting to a regular web server (and not your proprietry implementation) you are not able to further encrypt the data becouse the server would not know how to decrypt it.
It seems to me you have to put your trust in SSL.
0
 
LVL 5

Expert Comment

by:mbormann
ID: 2526020
Yes but performance is slowed down ,unfortunately, I wish we could have the cake and eat it too.
:~)
0
 
LVL 1

Expert Comment

by:yoni99
ID: 2526045
I had the same problem...
Security always comes on the expense of performance, there is not much you can do about it. Think of it in this way - do you want a fast connection or a secured one ?
0
 
LVL 5

Expert Comment

by:mbormann
ID: 2526090
well due to this new scare of Denial of Service by some foolish kids ,lay persons are shying away from doing secure transactions.What the hell some tinhorns go and shoot up and hooraw the town and the long time residents have to bear the consequences.

What these guys the laypersons I mean dont realize is that phone conversations are very very easy to tap.

Another issue 128 bits is I think only for USofA and not for the rest of the world.

Well ... I will stop my rambling now.
:~)
0
 
LVL 1

Expert Comment

by:yoni99
ID: 2526255
128 bits are for USA only BUT it is going to change in the next few months.
Besides, if you are the client and the server allows you to use 128 bits (and the client supports it) no one can tell you anything.
Denial of service doesn't compromise secured connection. If you can establish a secure connection it will stay secured, if you can establish a connection it is denial of service.
As I see it the problem is not in the SSL protocol but in the security of the web server itself - if you keep the credit card numbers on the server in an unsecured way everyone that hacks into it can steel the file with the numbers.
0
 

Author Comment

by:rwdt123
ID: 2526998
Thanks.  It seems that I'm on the right track.  I also appreciate the additional comments.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Java Flight Recorder and Java Mission Control together create a complete tool chain to continuously collect low level and detailed runtime information enabling after-the-fact incident analysis. Java Flight Recorder is a profiling and event collectio…
In this post we will learn different types of Android Layout and some basics of an Android App.
Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…
This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question