URL construction is tricky because different parts of the URL have different rules for what characters are allowed: for example, the plus sign is reserved in the query component of a URL because it represents a space, but in the path component of the URL, a plus sign has no special meaning and spaces are encoded as “%20”.
RFC 2396 explains (in section 2.4.2) that a complete URL is always in its encoded form: you take the strings for the individual components (scheme, authority, path, etc.), encode each according to its own rules, and then combine them into the complete URL string. Trying to build a complete unencoded URL string and then encode it separately leads to subtle bugs, like spaces in the path being incorrectly changed to plus signs (which an RFC-compliant server will interpret as real plus signs, not encoded spaces).
In Java, the correct way to build a URL is with the
URI class. Use one of the multi-argument constructors that takes the URL components as separate strings, and it’ll escape each component correctly according to that component’s rules. The
toASCIIString() method gives you a properly-escaped and encoded string that you can send to a server. To decode a URL, construct a
URI object using the single-string constructor and then use the accessor methods (such as
getPath()) to retrieve the decoded components.
Don’t use the
URLEncoder class! Despite the name, that class actually does HTML form encoding, not URL encoding. It’s not correct to concatenate unencoded strings to make an “unencoded” URL and then pass it through a
URLEncoder. Doing so will result in problems (particularly the aforementioned one regarding spaces and plus signs in the path).