I have a working java code that does the following:
URL myUrl = new URL("http://localhost:8080/webservice?user=" + username + "&password=" + password + "&request=x"); HttpURLConnection myConnection = (HttpURLConnection) myUrl.openConnection(); myConnection.setRequestMethod("POST");
However, I noticed that in my web server access log, a plaintext password was specified for all connected users. I would like to get this from the access log, but the web server administrators claim that this needs to be changed in my code, and not through the web server configuration.
I tried changing the code to the following:
URL myUrl = new URL("http://localhost:8080/webservice"); HttpURLConnection myConnection = (HttpURLConnection) myUrl.openConnection(); myConnection.setRequestMethod("POST"); // start of new code myConnection.setDoOutput(true); myConnection.addRequestProperty("username", username); myConnection.addRequestProperty("password", password); myConnection.addRequestProperty("request", "x"); // code continues to read the response stream
Access log now does not contain username / password / request method. However, webservice now throws an exception indicating that it has not received any username / password.
How was I wrong in my client code? I also tried using "setRequestProperty" instead of "addRequestProperty" and had the same behavior violation.
David
source share