Get parameter + replace with space when processing in action class

Question

I encrypt a text "good-bye, friend" using BasicTextEncryptor. So the encrypt value looks like below,

3qe80L1ap+cR2zRU9csFwOffw5NtWTueLRYgSXyjctI=

Then I email a URL to the user where the above parameter as a token.

Then the user copies the below URL and presses enter,

http://localhost:8080/token=3qe80L1ap+cR2zRU9csFwOffw5NtWTueLRYgSXyjctI=

But when I access the parameter in Struts 2 application through the action method it gives me the encrypt parameter as below,

3qe80L1ap cR2zRU9csFwOffw5NtWTueLRYgSXyjctI=

The + is replaced by " ". So when I decrypt it, it gives me EncryptionOperationNotPossibleException.

Does struts decode the + to " " assuming browser + is a encode character? In that case it ok before I proceed with decrypt, I replace the space with + ?

Can you please show some code? – Uwe Plonus Jul 08 '13 at 10:31 — Uwe Plonus, Jul 08 '13 at 10:31

score 7 · Accepted Answer · edited Jul 08 '13 at 14:36

A better way would be to "URL encode" the string before appending it to actual URL.

URLEncoder.encode("3qe80L1ap+cR2zRU9csFwOffw5NtWTueLRYgSXyjctI=", "ISO-8859-1");

This would make sure the token is correctly decoded.

To, answer your question, struts does not have any role in decoding the URL parameter. Its the core functionality of the application server to decode the URL parameter. So every HTTP parameter is subjected to decoding before reaching the application code.

Whatever is decoded by the server is available by to the application (i.e. Struts in your case. )

Now to explain why the + is not reaching your struts.

java.net.URLDecoder.decode("3qe80L1ap+cR2zRU9csFwOffw5NtWTueLRYgSXyjctI="));

it returns 3qe80L1ap cR2zRU9csFwOffw5NtWTueLRYgSXyjctI=

which means that + is not getting URL Decoded.

So, reiterating, every HTTP parameter (querystring or form POST) is subjected to decoding before reaching the application code.

When you URL encode your string, + is encoded as %2B and your struts application will receive the correct decoded string.

Note that you should honor the recommendation in the javadoc for URLEncoder.encode() – always use UTF-8 as the character encoding. — ntoskrnl, Jul 09 '13 at 19:30

score 3 · Answer 2 · answered Jul 08 '13 at 10:35

3

You'll need to not put the base64 encoded string there, but encode it using the UrlEncoder, like the following:

URLEncoder.encode("3qe80L1ap+cR2zRU9csFwOffw5NtWTueLRYgSXyjctI=", "UTF-8")

That way you can put it in the link.

answered Jul 08 '13 at 10:35

Erik Pragt

13,513
11
58
64

score 0 · Answer 3 · edited May 23 '17 at 12:15

0

URLs cannot contain spaces. URL encoding normally replaces a space with a + sign.

Thus the server decodes normally + sign to the space. See URLEncoder docs or read Java URL encoding of query string parameters.

edited May 23 '17 at 12:15

Community

1
1

answered Jul 08 '13 at 11:06

Roman C

49,761
33
66
176

score 0 · Answer 4 · answered Jul 09 '13 at 19:35

Consider using a so called URL safe variant of Base64. The most common variant, described in RFC 4648, uses - and _ instead of + and / respectively, and omits padding characters (=).

Most implementations of Base64 support this URL safe variant too, though if yours doesn't, it's easy enough to do manually.

Get parameter + replace with space when processing in action class

4 Answers4