Weblogic 12c server ignoring '#' symbol in URL

Question

I have GET request being sent to weblogic 12c server, which carries user info and on the server side i grab these info to process the request.

And the GET request looks like below:

URL:/prem/JSP/xml/prems.jsp?username=rjanga&password=1234roh#&address=3450Rivast&city=FT+COLLINS&state=CO&zip=80526.

since i have a '#' symbol in my password weblogic server is ignoring it and anything after it.

it only sees url as /prem/JSP/xml/prems.jsp?username=rjanga&password=1234roh (ignoring the symbol '#' and all strings after it like address, city..etc)

After doing some research and going through this link i tried solution mention in it.

but it did not help, any help is appreciated.

Answer 1

You're going to have to do the encoding on the password field. Putting the password in the URL is HORRIBLY insecure. You shouldn't be doing it. That said, here is some info:

From http://java.sun.com/j2se/1.5.0/docs/api/java/net/URL.html :

The URL class does not itself encode or decode any URL components according to the escaping mechanism defined in RFC2396. It is the responsibility of the caller to encode any fields, which need to be escaped prior to calling URL, and also to decode any escaped fields, that are returned from URL. Furthermore, because URL has no knowledge of URL escaping, it does not recognise equivalence between the encoded or decoded form of the same URL. For example, the two URLs:

http://foo.com/hello world/ 

and

http://foo.com/hello%20world

would be considered not equal to each other.

Note, the URI class does perform escaping of its component fields in certain circumstances. The recommended way to manage the encoding and decoding of URLs is to use URI, and to convert between these two classes using toURI() and URI.toURL().

It will be up to you to encode and decode those URL strings.