Does doPost encrypts URL and its externally appended paramaters

Question

I have a small doubt regarding the working of doPost which i have never tried before. I have created a web application with a third party application integrated in it. I am appending the username and password, to the URL which i am redirecting to the third party party application which authenticates the credentials at their end. The thrid party does not need the username and password to be encrypted or encoded and hence I am trying to use a Servlet, where doPost actually encrypts this URL.

    public void doPost(HttpServletRequest request,HttpServletRequest response)
              {
               Userdetails=//Username and password I am getting from Database using Dao
               String URL= URL.append(Userdetails)
               response.sendRedirect(URL)
              }

I like to know whether the above doPost encrypts the above URL mainly, the Username and password appended to it.

Additionally I want to know whether response.sendRedirect(url) encodes the URL or its parameters and sends it to the other server.

Answer 1

No, this doPost will not encrypt the URL for you and even if it were to do that, the browser won't be able to use the encrypted URL.

What should have been done is this:

1. The 3rd party app should share an API key with you.
2. You should make a server side call to obtain a one-time key corresponding to a username. The 3rd party app makes a record of the username corresponding to this one-time key.
3. Then you should send a redirect to your user's browser with that one-time key.
4. The 3rd party app should match that one-time key with the recorded username and provide the required services.

Of course, you should talk to your app provider and figure out a secure way of transacting with them.

Answer 2

The url does not get encrypted even when you are using secure connection (like https). Instead you can put the user name and password as part of post parameters and use a secure connection.