Sending url as query parameter in rest webservice

Question

I have written a rest service to encrypt and decrypt URL.

Encryption code:

@GET
@Produces("application/json")
@Path("/encrypt/")
public Response encryptWithQuery(@QueryParam("plainString") String plainString)
        throws JSONException {
    Response response = new Response();
    AesUtil util = new AesUtil(KEY_SIZE, ITERATION_COUNT);
    response = util.encrypt(SALT, IV, PASSPHRASE, plainString);
    return response;
}

Decryption code:

@GET
@Produces("application/json")
@Path("/decryptWP/")
public Response decryptWithQuery(@QueryParam("encryptString") String encryptString)
        throws JSONException {
    Response response = new Response();
    AesUtil util = new AesUtil(KEY_SIZE, ITERATION_COUNT);
    response = util.decrypt(SALT, IV, PASSPHRASE, encryptString);
    return response;
}

When i call my encrypt rest service i get the encrypted string

url for encryption

http://localhost:9080/kttafm/keybank/encrypt?plainString=http://localhost:9080/kttafm/master.jsp?abc=zyx

But when i call the decryption rest service i get below exception

javax.crypto.BadPaddingException: Given final block not properly padded

But if i move from @Queryparam tp @path param, The decryption works fine,

The decrypt method which works fine and decrypts the encrypted string is

 @GET
@Produces("application/json")
@Path("/decrypt/{encryptString}")
public Response decrypt(@PathParam("encryptString") String encryptString)
        throws JSONException {
    Response response = new Response();
    AesUtil util = new AesUtil(KEY_SIZE, ITERATION_COUNT);
    response = util.decrypt(SALT, IV, PASSPHRASE, encryptString);
    return response;
}

What am i missing?

Can you provide some more detailed info about the actual technology you're utilizing here? And please make clear which method moves form query to path. — Doe Johnson, Oct 15 '15 at 11:05
By the way: Appending stuff to be encrypted to an url seems to be a bad idea from a security perspective. — Doe Johnson, Oct 15 '15 at 11:13
@Queryparam could have encoding related processing. Can you show an example of an encrypted URL? did you debug to check that is matches exactly the input argument encryptString ? — Guy Bouallet, Oct 15 '15 at 11:33
Hello Guy, The encrypted string using @queryparam = "fbSjGsyDYfmJM4rAURhgdpX+XKQr8WTfiZC7PaBqK7KzfUEYau1cpXnhECqRT47n" — Juniad Ahmed, Oct 15 '15 at 12:02

score 0 · Answer 1 · edited May 23 '17 at 11:58

0

Please make sure you always encode the parameter on client side, e.g. using URLEncoder.

For example, your URL for encryption must be

http://localhost:9080/kttafm/keybank/encrypt?plainString=http%3A%2F%2Flocalhost%3A9080%2Fkttafm%2Fmaster.jsp%3Fabc%3Dzyx

edited May 23 '17 at 11:58

Community

1
1

answered Oct 15 '15 at 12:07

Michal

2,353
1
15
18

score 0 · Answer 2 · answered Oct 16 '15 at 09:52

Given the encrypted string example: "fbSjGsyDYfmJM4rAURhgdpX+XKQr8WTfiZC7PaBqK7KzfUEYau1cpXnhECqRT47n", I can see that there is a "+" character which is candidate for URL decoding. You may use this URL decoding website http://meyerweb.com/eric/tools/dencoder/ to see that the + sign is transformed when you decode your string.

This would cause errors in decryption as your algorithm will not have exactly what is expected.

You can make sure of that by adding some debug message in your decrypt method as in this example:

@GET
@Produces("application/json")
@Path("/decrypt/{encryptString}")
public Response decrypt(@PathParam("encryptString") String encryptString)
        throws JSONException {
    System.out.println(encryptString);
    Response response = new Response();
    ...
}

A solution would be to perform URL encoding on client side before calling the service. In this case, your example would look like: "fbSjGsyDYfmJM4rAURhgdpX%2BXKQr8WTfiZC7PaBqK7KzfUEYau1cpXnhECqRT47n"

Note the conversion of the + sign.

Sending url as query parameter in rest webservice

2 Answers2