-1

We have an existing rest web service that does a certain online transaction. It was created to receive input of @FormParam type. When we call this web service, we initially just passed the values by appending it to the url

e.g. /sometransaction?creditCardNumber=123

Problem is, since the number is appended to the url, this gets logged in the web server http requests logs. This cant be since this is sensitive information. We need to pass this the same way a HTML form does a POST submit, it order for the parameters not to be appended to the url and get logged by the web server. Problem is, we don't have a UI page to do this. This is just basically a web service calling another web service.

How can we achieve this?

Code:

@POST
@Path("/dotransaction")
Public Response doTransaction(@BeanParam TxnParams) {

}

Its a rest web service the the params class TxnParams have @FormParam attributes

lecarpetron dookmarion
  • 519
  • 2
  • 7
  • 18

1 Answers1

0

Ensure the Content-Type is set to application/x-www-form-urlencoded and send the data in the request payload.

Use & to separate the parameters and use = to associate the parameter with its value.

That's what the request will be like:

POST /sometransaction HTTP/1.1
Host: example.org
Content-Type: application/x-www-form-urlencoded

creditCardNumber=4111111111111111&expirationDate=09-2016

And always use HTTPS when sending sensitive information over the wire.

cassiomolin
  • 124,154
  • 35
  • 280
  • 359
  • What do you mean include in the request payload? In the header? – lecarpetron dookmarion Aug 09 '16 at 08:12
  • @lecarpetrondookmarion *request payload* = *body of the request* – cassiomolin Aug 09 '16 at 08:13
  • So same thing as before but only difference is the content type is url encoded? Correct? – lecarpetron dookmarion Aug 09 '16 at 08:14
  • @lecarpetrondookmarion The parameter values must be URL encoded. – cassiomolin Aug 09 '16 at 08:15
  • So we can append the params in the url as long as the content type is url encoded? – lecarpetron dookmarion Aug 09 '16 at 08:18
  • @lecarpetrondookmarion URL encoding does not protect you against anything. **NEVER** send sensitive data in the URL and **ALWAYS** use HTTP when sending sensitive information over the wire. – cassiomolin Aug 09 '16 at 08:23
  • So basically youre saying we can append it in the url if we encrypt the param values. Thats the only way. Correct? – lecarpetron dookmarion Aug 09 '16 at 08:25
  • @lecarpetrondookmarion If you use proper cryptography, you could append the parameters to the URL (URL encoding is not cryptography). I have no idea what your we service does, but I think those parameters won't fit well in the URL. If you are using `POST`, send them in the request payload as I've mentioned. – cassiomolin Aug 09 '16 at 08:30
  • I dont get the payload you are saying. The payload is the actual content right? Which is slso the param values passed on the rest service url. We are using @FormParam inputs. So we want to simulate the POST form submission without using an HTML page – lecarpetron dookmarion Aug 09 '16 at 08:36
  • @lecarpetrondookmarion **Request payload** means **body of the request**. Why don't you edit your question and share a bit of code? Show what you have tried to consume your service. Show what your service looks like. The best way to describe what you are doing is showing the code. Create a [Minimal, Complete, and Verifiable example](http://stackoverflow.com/help/mcve). – cassiomolin Aug 09 '16 at 08:50
  • Question edited. Sorry the code is not formatted well. Im using my mobile phone – lecarpetron dookmarion Aug 09 '16 at 09:01
  • @lecarpetrondookmarion And how about your client code? How are you consuming such endpoint? What have you tried so far? – cassiomolin Aug 09 '16 at 09:02
  • We use httpurlconnection class and just append input parameters to the rest service url called. Now that we will be adding sensitive info this can no longer be done – lecarpetron dookmarion Aug 09 '16 at 09:12