-4

I have a java app that looks like the below code. I need to be able to pass it a username, password and url to perform a task. what will the url call look like?

username will be an email so : myemail@mail.com password is just a string url will be: like : hhtps://login.salesforce.com/services/Soap/u/37.0

So far I have this url but it's not working

localhost:8080/myAPP/webapi/myapi?user=some@email.com&pass=jsjjsd&url=hhtps://login.salesforce.com/services/Soap/u/37.0

class code

@Path("/myapi")
public class myClass(){


@GET
@Path("/{user}/{pass}/{url}")
@Produces(MediaType.APPLICATION_JSON)
public String foo(@PathParam("user") String user,
                    @PathParam("pass") String pass,
                    @PathParam("url") String url) {
     return "test";
}

}
Hello World
  • 21
  • 1
  • 5

3 Answers3

1

Sending sensitive data in the URL is a pretty bad idea. Never ever do it. The requested URL is logged by servers and proxies. If the URL is requested by a browser, the URL goes to the browser history. It's a security breach.

What you shouldn't do

Find below two bad approaches that you must never use.

If your endpoint is like:

@Path("/myapi")
public class MyResource() {

    @GET
    @Path("/{user}/{pass}/{url}")
    @Produces(MediaType.APPLICATION_JSON)
    public String foo(@PathParam("user") String user,
                      @PathParam("pass") String pass,
                      @PathParam("url") String url) {
         ...
    }
}

The request would be like:

GET /myAPP/webapi/myapi/some%40email.com/jsjjsd/https%3A%2F%2Flogin.salesforce.com%2Fservices%2FSoap%2Fu%2F37.0 HTTP/1.1
Host: localhost:8080
Accept: application/json

If your endpoint is like:

@Path("/myapi")
public class MyResource() {

    @GET
    @Produces(MediaType.APPLICATION_JSON)
    public String foo(@QueryParam("user") String user,
                      @QueryParam("pass") String pass,
                      @QueryParam("url") String url) {
        ...
    }
}

The request would be like:

GET /myAPP/webapi/myapi?user=some%40email.com&pass=jsjjsd&url=https%3A%2F%2Flogin.salesforce.com%2Fservices%2FSoap%2Fu%2F37.0 HTTP/1.1
Host: localhost:8080
Accept: application/json

Please mind the parameter values are URL encoded. For further reference, check this answer.

What you should do

When sending sensitive data over the wire, the use of HTTPS is highly advisable. HTTPS will protect you against the man-in-the-middle attack. For a Certification Authority, you may consider Let's Encrypt. It claims to be free, automated, and open.

Instead of sending those parameters in the URL, you should send them in the request payload using POST. The request payload could be a JSON, for example. Once you are using JAX-RS, you can use a JSON provider such as Jackson.

To do it, define a bean like the following:

public class Credentials implements Serializable {

    private String user;
    private String pass;
    private String url;

    // Getters and setters omitted
}

And consume it in your resource method:

@Path("/myapi")
public class MyResource() {

    @POST
    @Consumer(MediaType.APPLICATION_JSON)
    @Produces(MediaType.APPLICATION_JSON)
    public String foo(Credentials credentials) {
        ...
    }
}

The request would be like:

POST /myAPP/webapi/myapi HTTP/1.1
Host: localhost:8080
Content-Type: application/json
Accept: application/json

{
  "user": "some@email.com",
  "pass": "jsjjsd",
  "url": "https://login.salesforce.com/services/Soap/u/37.0"
}
Community
  • 1
  • 1
cassiomolin
  • 124,154
  • 35
  • 280
  • 359
0

It's incorrect your url. In your method you are defining pathParams but your url have queryParams.

Change the your url or method.

The main error is your implementation. It's a terrible security practice send credential via URL in plain text. Consider use any encryption for password and manage token for your application. The URL to login would be manage by the backend. Consider use a POST method.

Look this. Best practice for REST token-based authentication with JAX-RS and Jersey

Regards

Community
  • 1
  • 1
Cesardl
  • 1,831
  • 1
  • 14
  • 18
-2

You have to use QueryParam annotation instead.

Example :

@Path("/myapi")
public class myClass(){

    @GET
    @Produces(MediaType.APPLICATION_JSON)
    public String foo(@QueryParam("user") String user,
        @QueryParam("pass") String pass,
        @QueryParam("url") String url) {
        return "test";
    }
}
Mickael
  • 4,458
  • 2
  • 28
  • 40
  • 1
    Sending passwords in the URL is a **pretty bad idea**. – cassiomolin Aug 12 '16 at 08:08
  • I agree. But it doesn't the solution is wrong. It just means the approach to the problem is wrong. – Mickael Aug 12 '16 at 08:23
  • 1
    The solution provided is partially correct: the query parameter values must be URL encoded. But always mind the approach is bad and the OP should not be encouraged to follow the wrong path. – cassiomolin Aug 12 '16 at 08:46