You're going to have to do the encoding on the password field. Putting the password in the URL is HORRIBLY insecure. You shouldn't be doing it. That said, here is some info:
From http://java.sun.com/j2se/1.5.0/docs/api/java/net/URL.html :
The URL class does not itself encode or decode any URL components according to the escaping mechanism defined in RFC2396. It is the responsibility of the caller to encode any fields, which need to be escaped prior to calling URL, and also to decode any escaped fields, that are returned from URL. Furthermore, because URL has no knowledge of URL escaping, it does not recognise equivalence between the encoded or decoded form of the same URL. For example, the two URLs:
http://foo.com/hello world/
and
http://foo.com/hello%20world
would be considered not equal to each other.
Note, the URI class does perform escaping of its component fields in certain circumstances. The recommended way to manage the encoding and decoding of URLs is to use URI, and to convert between these two classes using toURI() and URI.toURL().
It will be up to you to encode and decode those URL strings.