How to send special characters from javascript at frontend to java at backend?

Question

I have a rest web service whose url is

http://localhost/rest/authenticate?username=username&password=pa+ssw1&rd%

In password parameter have 3 special character.

1. + character read as white space
2. & character remove the all characters. for example - my password like this "passw&rd" and it will read like this "passw"
3. % character does not read the proper password, its read the null value.

my API like this ...

@Path("/authenticate")
public class AuthenticateService {

    private ILiteWebServiceFacade liteWebServiceFacade = ServiceLocator.locateService(ILiteWebServiceFacade.class);

    @POST
    @Produces(MediaType.APPLICATION_JSON)
    public Response authenticate(@FormParam("username") String username, 
                                 @FormParam("password") String password)
            throws RestException {

        AuthenticateResponse res = new AuthenticateResponse();
        try {
            res = liteWebServiceFacade.mobAuthenticate(username, password);
        } catch (RestApplicationException e) {
            res.setError(e.getErrorMessage().getErrorCode(), e.getErrorMessage().getErrorMessageKey());
        }
        return Response.ok(res).build();
    }
}

Can you please suggest me how to read all these special character?

Answer 1

Firstly, I recommend you not to send sensitive data like username and password in url. You should send it in request body.

A simple way to do that is Base64 encode on frontend in javascript and decode at backend in java.

FrontEnd : All chrome version, Firefox 1.0 and above, Internet Explorer 10 and above

 var string = 'pa+ssw1&rd%'; // Encode the String var encodedString = btoa(string); console.log(encodedString); // Outputs: cGErc3N3MSZyZCU= // Decode the String var decodedString = atob(encodedString); console.log(decodedString); // Outputs: pa+ssw1&rd% 

Backend:

For Java 8 and above:

import java.util.Base64;

byte[] decoded = Base64.getDecoder().decode(password);
decodedpassword = new String(decoded, "utf-8");

For < Java 8

import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.StringUtils;

public String decode1(String s) {
    return StringUtils.newStringUtf8(Base64.decodeBase64(s));
}

public String decode2(String s) {
    return new String(Base64.decodeBase64(s), "utf-8");
}

Maven / sbt repo: commons-codec, commons-codec, 1.8.

Answer 2

Fist of all, don't send passwords in the URL -- it's just really bad security as the query parameters can get logged in Apache or NGINX logs and are often exposed along the way.

Secondly, if you're using HTTP, understand that certain characters need to be escaped.

%2B +
%20 {space}
%26 &

You will have to make sure your code is actually decoding the strings, but depending on your framework it may do that automatically (Spring does, for example) or you may have to add a quick callout to decode.

If you change the behavior of the URI Encoding, you change the HTTP spec, and it's going to make it hard for anyone consuming your API to understand what's going on -- especially if you grab ampersands because any URI encoding will be broken for your API.

See the RFC: Uniform Resource Identifier (URI): Generic Syntax https://tools.ietf.org/html/rfc3986