Search code examples
javaurlencryptionstruts2urlencode

Get parameter + replace with space when processing in action class


I encrypt a text "good-bye, friend" using BasicTextEncryptor. So the encrypt value looks like below,

3qe80L1ap+cR2zRU9csFwOffw5NtWTueLRYgSXyjctI=

Then, I email a URL to the user where the above parameter as a token.

Then, the user copies the below URL and presses enter,

http://localhost:8080/token=3qe80L1ap+cR2zRU9csFwOffw5NtWTueLRYgSXyjctI=

But, when I access the parameter in Struts 2 application through the action method, it gives me the encrypt parameter as below,

3qe80L1ap cR2zRU9csFwOffw5NtWTueLRYgSXyjctI=

The + is replaced by " ". So, when I decrypt it, it gives me EncryptionOperationNotPossibleException.

Does Struts decode the + to " ", assuming browser + is a encode character? In that case it is ok, before I proceed with decrypt, I replace the space with + ?


Solution

  • A better way would be to "URL encode" the string before appending it to actual URL.

    URLEncoder.encode("3qe80L1ap+cR2zRU9csFwOffw5NtWTueLRYgSXyjctI=", "ISO-8859-1");
    

    This would make sure the token is correctly decoded.

    To, answer your question, struts does not have any role in decoding the URL parameter. Its the core functionality of the application server to decode the URL parameter. So every HTTP parameter is subjected to decoding before reaching the application code.

    Whatever is decoded by the server is available by to the application (i.e. Struts in your case. )

    Now to explain why the + is not reaching your struts.

    java.net.URLDecoder.decode("3qe80L1ap+cR2zRU9csFwOffw5NtWTueLRYgSXyjctI="));
    

    it returns 3qe80L1ap cR2zRU9csFwOffw5NtWTueLRYgSXyjctI=

    which means that + is not getting URL Decoded.

    So, reiterating, every HTTP parameter (querystring or form POST) is subjected to decoding before reaching the application code.

    When you URL encode your string, + is encoded as %2B and your struts application will receive the correct decoded string.