Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How to emulate HTTPS POST done in a form in a Java application

Posted on 2000-02-14
9
387 Views
Last Modified: 2012-05-04
Hi,

I need to emulate in my Java application the POST request done from a form via HTTPS.  The information being posted must be secure because it contains credit card information. Here is what I have so far:


// Open an HTTPS connection
URL url = new URL("https://myhost.com/secure/verify");
URLConnection conn = url.openConnection();
conn.setDoOutput ( true );
conn.setDoInput ( true );

// Sending information through HTTPS: POST
String postRequest = "credit_card=1234567890&exp_date=1102";
OutputStreamWriter osw = new OutputStreamWriter(connection.getOutputStream());
osw.write(postRequest, 0, postRequest.length());         // Do I need to encrypt the string postRequest?
ostream.close();
String authMsg = getInputData(connection);


A web server uses this application to verify the credit card information submitted by on-line customers.  The opened URL location is a credit card verification site.  An appropriate message is then displayed to the customers depending on the result of the verification.  Using a web browser to do this is not an option.  

I have no problem establishing the HTTPS connection.  My question is this:

Even if this is an HTTPS connection, is it necessary for me to encrypt the string that represents the post request before it is being sent (see postRequest above)?  If so, what encryption mechanism and java method should I use?

Thank you.
Chien

0
Comment
Question by:rwdt123
  • 4
  • 3
  • 2
9 Comments
 
LVL 5

Expert Comment

by:mbormann
ID: 2521601
Hello there,

I dont think it's necessary to encrypt the info as u r already running under SSL ,but if it's desired to have more security u canlook at this question.

http://www.experts-exchange.com/jsp/qShow.jsp?ta=java&qid=10235838 

Use the code given at the end.
0
 
LVL 1

Accepted Solution

by:
yoni99 earned 200 total points
ID: 2524525
The SSL connection should supply the security level you need, it includes data encryption and authentication. I'm not sure what you are using - it doesn't look like an SSL session to me.
I said "should" becouse the recommended strength is 128 bits key for the encryption process, you should check if this is what the SSL session provides you.
If you think you need more you can try the JCE package from SUN, it has some encryption algorithms.
0
 

Author Comment

by:rwdt123
ID: 2524609
I left out a code segment that precedes what I've listed.  The code enables HTTPS prior to opening the connection.  

if (Class.forName(
"com.ms.net.wininet.WininetStreamHandlerFactory" )!=null)

    URL.setURLStreamHandlerFactory(
        new com.ms.net.wininet.WininetStreamHandlerFactory());


The Java code will be compiled using J++.  (I know, this is not pure Java).  I believe the stream handler factory gives me the ability to handle HTTPS and use SSL.  Is that a good assumption?
0
Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

 
LVL 1

Expert Comment

by:yoni99
ID: 2525996
According to microsoft it gives you the ability to handle HTTPS connection, your assumption is correct.

The SSL protocol provides anything you need, only problem is to check what encryption strength you get from this connection.
The recommended strength is to have 1024 bits key for RSA (public key) and at least 128 bits for symmetric key. Since I didn't find the documentation of the package I can't tell you the strength of encryption you can get, keep in mind that the server you are connecting is usualy the one that agree on the strength.
If you are connecting to a regular web server (and not your proprietry implementation) you are not able to further encrypt the data becouse the server would not know how to decrypt it.
It seems to me you have to put your trust in SSL.
0
 
LVL 5

Expert Comment

by:mbormann
ID: 2526020
Yes but performance is slowed down ,unfortunately, I wish we could have the cake and eat it too.
:~)
0
 
LVL 1

Expert Comment

by:yoni99
ID: 2526045
I had the same problem...
Security always comes on the expense of performance, there is not much you can do about it. Think of it in this way - do you want a fast connection or a secured one ?
0
 
LVL 5

Expert Comment

by:mbormann
ID: 2526090
well due to this new scare of Denial of Service by some foolish kids ,lay persons are shying away from doing secure transactions.What the hell some tinhorns go and shoot up and hooraw the town and the long time residents have to bear the consequences.

What these guys the laypersons I mean dont realize is that phone conversations are very very easy to tap.

Another issue 128 bits is I think only for USofA and not for the rest of the world.

Well ... I will stop my rambling now.
:~)
0
 
LVL 1

Expert Comment

by:yoni99
ID: 2526255
128 bits are for USA only BUT it is going to change in the next few months.
Besides, if you are the client and the server allows you to use 128 bits (and the client supports it) no one can tell you anything.
Denial of service doesn't compromise secured connection. If you can establish a secure connection it will stay secured, if you can establish a connection it is denial of service.
As I see it the problem is not in the SSL protocol but in the security of the web server itself - if you keep the credit card numbers on the server in an unsecured way everyone that hacks into it can steel the file with the numbers.
0
 

Author Comment

by:rwdt123
ID: 2526998
Thanks.  It seems that I'm on the right track.  I also appreciate the additional comments.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction This article is the first of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article explains our test automation goals. Then rationale is given for the tools we use to a…
In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:
This tutorial covers a practical example of lazy loading technique and early loading technique in a Singleton Design Pattern.

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question