Solved

How to emulate HTTPS POST done in a form in a Java application

Posted on 2000-02-14
9
383 Views
Last Modified: 2012-05-04
Hi,

I need to emulate in my Java application the POST request done from a form via HTTPS.  The information being posted must be secure because it contains credit card information. Here is what I have so far:


// Open an HTTPS connection
URL url = new URL("https://myhost.com/secure/verify");
URLConnection conn = url.openConnection();
conn.setDoOutput ( true );
conn.setDoInput ( true );

// Sending information through HTTPS: POST
String postRequest = "credit_card=1234567890&exp_date=1102";
OutputStreamWriter osw = new OutputStreamWriter(connection.getOutputStream());
osw.write(postRequest, 0, postRequest.length());         // Do I need to encrypt the string postRequest?
ostream.close();
String authMsg = getInputData(connection);


A web server uses this application to verify the credit card information submitted by on-line customers.  The opened URL location is a credit card verification site.  An appropriate message is then displayed to the customers depending on the result of the verification.  Using a web browser to do this is not an option.  

I have no problem establishing the HTTPS connection.  My question is this:

Even if this is an HTTPS connection, is it necessary for me to encrypt the string that represents the post request before it is being sent (see postRequest above)?  If so, what encryption mechanism and java method should I use?

Thank you.
Chien

0
Comment
Question by:rwdt123
  • 4
  • 3
  • 2
9 Comments
 
LVL 5

Expert Comment

by:mbormann
ID: 2521601
Hello there,

I dont think it's necessary to encrypt the info as u r already running under SSL ,but if it's desired to have more security u canlook at this question.

http://www.experts-exchange.com/jsp/qShow.jsp?ta=java&qid=10235838 

Use the code given at the end.
0
 
LVL 1

Accepted Solution

by:
yoni99 earned 200 total points
ID: 2524525
The SSL connection should supply the security level you need, it includes data encryption and authentication. I'm not sure what you are using - it doesn't look like an SSL session to me.
I said "should" becouse the recommended strength is 128 bits key for the encryption process, you should check if this is what the SSL session provides you.
If you think you need more you can try the JCE package from SUN, it has some encryption algorithms.
0
 

Author Comment

by:rwdt123
ID: 2524609
I left out a code segment that precedes what I've listed.  The code enables HTTPS prior to opening the connection.  

if (Class.forName(
"com.ms.net.wininet.WininetStreamHandlerFactory" )!=null)

    URL.setURLStreamHandlerFactory(
        new com.ms.net.wininet.WininetStreamHandlerFactory());


The Java code will be compiled using J++.  (I know, this is not pure Java).  I believe the stream handler factory gives me the ability to handle HTTPS and use SSL.  Is that a good assumption?
0
 
LVL 1

Expert Comment

by:yoni99
ID: 2525996
According to microsoft it gives you the ability to handle HTTPS connection, your assumption is correct.

The SSL protocol provides anything you need, only problem is to check what encryption strength you get from this connection.
The recommended strength is to have 1024 bits key for RSA (public key) and at least 128 bits for symmetric key. Since I didn't find the documentation of the package I can't tell you the strength of encryption you can get, keep in mind that the server you are connecting is usualy the one that agree on the strength.
If you are connecting to a regular web server (and not your proprietry implementation) you are not able to further encrypt the data becouse the server would not know how to decrypt it.
It seems to me you have to put your trust in SSL.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 5

Expert Comment

by:mbormann
ID: 2526020
Yes but performance is slowed down ,unfortunately, I wish we could have the cake and eat it too.
:~)
0
 
LVL 1

Expert Comment

by:yoni99
ID: 2526045
I had the same problem...
Security always comes on the expense of performance, there is not much you can do about it. Think of it in this way - do you want a fast connection or a secured one ?
0
 
LVL 5

Expert Comment

by:mbormann
ID: 2526090
well due to this new scare of Denial of Service by some foolish kids ,lay persons are shying away from doing secure transactions.What the hell some tinhorns go and shoot up and hooraw the town and the long time residents have to bear the consequences.

What these guys the laypersons I mean dont realize is that phone conversations are very very easy to tap.

Another issue 128 bits is I think only for USofA and not for the rest of the world.

Well ... I will stop my rambling now.
:~)
0
 
LVL 1

Expert Comment

by:yoni99
ID: 2526255
128 bits are for USA only BUT it is going to change in the next few months.
Besides, if you are the client and the server allows you to use 128 bits (and the client supports it) no one can tell you anything.
Denial of service doesn't compromise secured connection. If you can establish a secure connection it will stay secured, if you can establish a connection it is denial of service.
As I see it the problem is not in the SSL protocol but in the security of the web server itself - if you keep the credit card numbers on the server in an unsecured way everyone that hacks into it can steel the file with the numbers.
0
 

Author Comment

by:rwdt123
ID: 2526998
Thanks.  It seems that I'm on the right track.  I also appreciate the additional comments.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Java Server Faces parameter pass? 6 39
maven project error 5 48
web services creation SOAP vs REST 5 20
oracle 11g 23 51
By the end of 1980s, object oriented programming using languages like C++, Simula69 and ObjectPascal gained momentum. It looked like programmers finally found the perfect language. C++ successfully combined the object oriented principles of Simula w…
Java had always been an easily readable and understandable language.  Some relatively recent changes in the language seem to be changing this pretty fast, and anyone that had not seen any Java code for the last 5 years will possibly have issues unde…
This tutorial covers a practical example of lazy loading technique and early loading technique in a Singleton Design Pattern.
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now