RFC1738 speaks to this:
characters that are not required to be encoded
(including alphanumerics) may be encoded within
the scheme-specific part of a URL, as long as they
are not being used for a reserved purpose...
While the syntax for the rest of the URL may vary
depending on the particular scheme selected, URL
schemes that involve the direct use of an IP-based
protocol to a specified host on the Internet use a
common syntax for the scheme-specific data:
//<user>:<password>@host>:<port>/<url-path>
Some or all of the parts "<user>:<password>@",
":<password>", ":<port>", and "/<url-path>"
may be excluded. The scheme specific data start with a
double slash "//" to indicate that it complies with the
common Internet scheme syntax. The different components
obey the following rules:
user
An optional user name. Some schemes (e.g., ftp) allow the
specification of a user name.
password
An optional password. If present, it follows the user
name separated from it by a colon.
The user name (and password), if present, are followed by a
commercial at-sign "@". Within the user and password field,
any ":", "@", or "/" must be encoded.
So, if Juniper is doing it right, it should work by encoding the "@" in the user name:
copy file http://xy%40foo.bar:password@www.foo.bar/ /var/tmp/test.file"