Solved

How to emulate HTTPS POST done in a form in a Java application

Posted on 2000-02-14
9
381 Views
Last Modified: 2012-05-04
Hi,

I need to emulate in my Java application the POST request done from a form via HTTPS.  The information being posted must be secure because it contains credit card information. Here is what I have so far:


// Open an HTTPS connection
URL url = new URL("https://myhost.com/secure/verify");
URLConnection conn = url.openConnection();
conn.setDoOutput ( true );
conn.setDoInput ( true );

// Sending information through HTTPS: POST
String postRequest = "credit_card=1234567890&exp_date=1102";
OutputStreamWriter osw = new OutputStreamWriter(connection.getOutputStream());
osw.write(postRequest, 0, postRequest.length());         // Do I need to encrypt the string postRequest?
ostream.close();
String authMsg = getInputData(connection);


A web server uses this application to verify the credit card information submitted by on-line customers.  The opened URL location is a credit card verification site.  An appropriate message is then displayed to the customers depending on the result of the verification.  Using a web browser to do this is not an option.  

I have no problem establishing the HTTPS connection.  My question is this:

Even if this is an HTTPS connection, is it necessary for me to encrypt the string that represents the post request before it is being sent (see postRequest above)?  If so, what encryption mechanism and java method should I use?

Thank you.
Chien

0
Comment
Question by:rwdt123
  • 4
  • 3
  • 2
9 Comments
 
LVL 5

Expert Comment

by:mbormann
Comment Utility
Hello there,

I dont think it's necessary to encrypt the info as u r already running under SSL ,but if it's desired to have more security u canlook at this question.

http://www.experts-exchange.com/jsp/qShow.jsp?ta=java&qid=10235838

Use the code given at the end.
0
 
LVL 1

Accepted Solution

by:
yoni99 earned 200 total points
Comment Utility
The SSL connection should supply the security level you need, it includes data encryption and authentication. I'm not sure what you are using - it doesn't look like an SSL session to me.
I said "should" becouse the recommended strength is 128 bits key for the encryption process, you should check if this is what the SSL session provides you.
If you think you need more you can try the JCE package from SUN, it has some encryption algorithms.
0
 

Author Comment

by:rwdt123
Comment Utility
I left out a code segment that precedes what I've listed.  The code enables HTTPS prior to opening the connection.  

if (Class.forName(
"com.ms.net.wininet.WininetStreamHandlerFactory" )!=null)

    URL.setURLStreamHandlerFactory(
        new com.ms.net.wininet.WininetStreamHandlerFactory());


The Java code will be compiled using J++.  (I know, this is not pure Java).  I believe the stream handler factory gives me the ability to handle HTTPS and use SSL.  Is that a good assumption?
0
 
LVL 1

Expert Comment

by:yoni99
Comment Utility
According to microsoft it gives you the ability to handle HTTPS connection, your assumption is correct.

The SSL protocol provides anything you need, only problem is to check what encryption strength you get from this connection.
The recommended strength is to have 1024 bits key for RSA (public key) and at least 128 bits for symmetric key. Since I didn't find the documentation of the package I can't tell you the strength of encryption you can get, keep in mind that the server you are connecting is usualy the one that agree on the strength.
If you are connecting to a regular web server (and not your proprietry implementation) you are not able to further encrypt the data becouse the server would not know how to decrypt it.
It seems to me you have to put your trust in SSL.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 5

Expert Comment

by:mbormann
Comment Utility
Yes but performance is slowed down ,unfortunately, I wish we could have the cake and eat it too.
:~)
0
 
LVL 1

Expert Comment

by:yoni99
Comment Utility
I had the same problem...
Security always comes on the expense of performance, there is not much you can do about it. Think of it in this way - do you want a fast connection or a secured one ?
0
 
LVL 5

Expert Comment

by:mbormann
Comment Utility
well due to this new scare of Denial of Service by some foolish kids ,lay persons are shying away from doing secure transactions.What the hell some tinhorns go and shoot up and hooraw the town and the long time residents have to bear the consequences.

What these guys the laypersons I mean dont realize is that phone conversations are very very easy to tap.

Another issue 128 bits is I think only for USofA and not for the rest of the world.

Well ... I will stop my rambling now.
:~)
0
 
LVL 1

Expert Comment

by:yoni99
Comment Utility
128 bits are for USA only BUT it is going to change in the next few months.
Besides, if you are the client and the server allows you to use 128 bits (and the client supports it) no one can tell you anything.
Denial of service doesn't compromise secured connection. If you can establish a secure connection it will stay secured, if you can establish a connection it is denial of service.
As I see it the problem is not in the SSL protocol but in the security of the web server itself - if you keep the credit card numbers on the server in an unsecured way everyone that hacks into it can steel the file with the numbers.
0
 

Author Comment

by:rwdt123
Comment Utility
Thanks.  It seems that I'm on the right track.  I also appreciate the additional comments.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

INTRODUCTION Working with files is a moderately common task in Java.  For most projects hard coding the file names, using parameters in configuration files, or using command-line arguments is sufficient.   However, when your application has vi…
Basic understanding on "OO- Object Orientation" is needed for designing a logical solution to solve a problem. Basic OOAD is a prerequisite for a coder to ensure that they follow the basic design of OO. This would help developers to understand the b…
Viewers will learn about the different types of variables in Java and how to declare them. Decide the type of variable desired: Put the keyword corresponding to the type of variable in front of the variable name: Use the equal sign to assign a v…
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now