Solved

How to emulate HTTPS POST done in a form in a Java application

Posted on 2000-02-14
9
389 Views
Last Modified: 2012-05-04
Hi,

I need to emulate in my Java application the POST request done from a form via HTTPS.  The information being posted must be secure because it contains credit card information. Here is what I have so far:


// Open an HTTPS connection
URL url = new URL("https://myhost.com/secure/verify");
URLConnection conn = url.openConnection();
conn.setDoOutput ( true );
conn.setDoInput ( true );

// Sending information through HTTPS: POST
String postRequest = "credit_card=1234567890&exp_date=1102";
OutputStreamWriter osw = new OutputStreamWriter(connection.getOutputStream());
osw.write(postRequest, 0, postRequest.length());         // Do I need to encrypt the string postRequest?
ostream.close();
String authMsg = getInputData(connection);


A web server uses this application to verify the credit card information submitted by on-line customers.  The opened URL location is a credit card verification site.  An appropriate message is then displayed to the customers depending on the result of the verification.  Using a web browser to do this is not an option.  

I have no problem establishing the HTTPS connection.  My question is this:

Even if this is an HTTPS connection, is it necessary for me to encrypt the string that represents the post request before it is being sent (see postRequest above)?  If so, what encryption mechanism and java method should I use?

Thank you.
Chien

0
Comment
Question by:rwdt123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 5

Expert Comment

by:mbormann
ID: 2521601
Hello there,

I dont think it's necessary to encrypt the info as u r already running under SSL ,but if it's desired to have more security u canlook at this question.

http://www.experts-exchange.com/jsp/qShow.jsp?ta=java&qid=10235838 

Use the code given at the end.
0
 
LVL 1

Accepted Solution

by:
yoni99 earned 200 total points
ID: 2524525
The SSL connection should supply the security level you need, it includes data encryption and authentication. I'm not sure what you are using - it doesn't look like an SSL session to me.
I said "should" becouse the recommended strength is 128 bits key for the encryption process, you should check if this is what the SSL session provides you.
If you think you need more you can try the JCE package from SUN, it has some encryption algorithms.
0
 

Author Comment

by:rwdt123
ID: 2524609
I left out a code segment that precedes what I've listed.  The code enables HTTPS prior to opening the connection.  

if (Class.forName(
"com.ms.net.wininet.WininetStreamHandlerFactory" )!=null)

    URL.setURLStreamHandlerFactory(
        new com.ms.net.wininet.WininetStreamHandlerFactory());


The Java code will be compiled using J++.  (I know, this is not pure Java).  I believe the stream handler factory gives me the ability to handle HTTPS and use SSL.  Is that a good assumption?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Expert Comment

by:yoni99
ID: 2525996
According to microsoft it gives you the ability to handle HTTPS connection, your assumption is correct.

The SSL protocol provides anything you need, only problem is to check what encryption strength you get from this connection.
The recommended strength is to have 1024 bits key for RSA (public key) and at least 128 bits for symmetric key. Since I didn't find the documentation of the package I can't tell you the strength of encryption you can get, keep in mind that the server you are connecting is usualy the one that agree on the strength.
If you are connecting to a regular web server (and not your proprietry implementation) you are not able to further encrypt the data becouse the server would not know how to decrypt it.
It seems to me you have to put your trust in SSL.
0
 
LVL 5

Expert Comment

by:mbormann
ID: 2526020
Yes but performance is slowed down ,unfortunately, I wish we could have the cake and eat it too.
:~)
0
 
LVL 1

Expert Comment

by:yoni99
ID: 2526045
I had the same problem...
Security always comes on the expense of performance, there is not much you can do about it. Think of it in this way - do you want a fast connection or a secured one ?
0
 
LVL 5

Expert Comment

by:mbormann
ID: 2526090
well due to this new scare of Denial of Service by some foolish kids ,lay persons are shying away from doing secure transactions.What the hell some tinhorns go and shoot up and hooraw the town and the long time residents have to bear the consequences.

What these guys the laypersons I mean dont realize is that phone conversations are very very easy to tap.

Another issue 128 bits is I think only for USofA and not for the rest of the world.

Well ... I will stop my rambling now.
:~)
0
 
LVL 1

Expert Comment

by:yoni99
ID: 2526255
128 bits are for USA only BUT it is going to change in the next few months.
Besides, if you are the client and the server allows you to use 128 bits (and the client supports it) no one can tell you anything.
Denial of service doesn't compromise secured connection. If you can establish a secure connection it will stay secured, if you can establish a connection it is denial of service.
As I see it the problem is not in the SSL protocol but in the security of the web server itself - if you keep the credit card numbers on the server in an unsecured way everyone that hacks into it can steel the file with the numbers.
0
 

Author Comment

by:rwdt123
ID: 2526998
Thanks.  It seems that I'm on the right track.  I also appreciate the additional comments.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An old method to applying the Singleton pattern in your Java code is to check if a static instance, defined in the same class that needs to be instantiated once and only once, is null and then create a new instance; otherwise, the pre-existing insta…
Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
Viewers learn about the scanner class in this video and are introduced to receiving user input for their programs. Additionally, objects, conditional statements, and loops are used to help reinforce the concepts. Introduce Scanner class: Importing…
This tutorial covers a practical example of lazy loading technique and early loading technique in a Singleton Design Pattern.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question