Hello, I'm using HttpClient 5.2.1 for my application, specifically the HttpPost object to send a POST request and authenticate to an OAuth2.0 server using grant_type=password. Since grant_type=password requires a plaintext password, sending the POST request leaves the password in my application's memory (confirmed using profiling tools such as ProcessHacker), which I'm trying to avoid.
I tried using a ByteArrayEntity for the POST request: HttpPost httpPost = new HttpPost(myUri); ByteArrayBuilder builder = new ByteArrayBuilder(); byteArrayBuilder.append("grant_type=password&"); byteArrayBuilder.append("username=" + username + "&"); byteArrayBuilder.append("client_id=" + clientId + "&"); byteArrayBuilder.append("password=" + plaintextPassword); byte[] byteArray = byteArrayBuilder.toByteArray(); httpPost.setEntity(new ByteArrayEntity(byteArray, ContentType.APPLICATION_FORM_URLENCODED)); //Set entity using a ByteArrayEntity closeableHttpClient.execute(httpPost, httpClientResponseHandler); //Execute the POST request Arrays.fill(byteArray, (byte) 0); //Clear the byte array that contains the password Unfortunately, using a ByteArrayEntity still leaves a plaintext password string in my application's memory, even after clearing the byteArray object. The password remnants seem to be created in the HttpClient code. Is there a way to clear or empty the request strings used by HttpPost? Or are there alternative objects in HttpClient that can be used to avoid strings like passwords from being retained in memory? Thank you. Theodore Tan| Senior Software Developer t...@itrsgroup.com ITRS Internet communications are not secure and therefore the ITRS Group does not accept legal responsibility for the contents of this message. Any view or opinions presented are solely those of the author and do not necessarily represent those of the ITRS Group unless otherwise specifically stated. [itrs.email.signature]