On Tue, 2024-02-13 at 09:52 +0000, Theodore Tan wrote:
> Hello,
>
> I’m using HttpClient 5.2.1 for my application, specifically the
> HttpPost object to send a POST request and authenticate to an
> OAuth2.0 server using grant_type=password.
> Since grant_type=password requires a plaintext password, sending the
> POST request leaves the password in my application’s memory
> (confirmed using profiling tools such as ProcessHacker), which I’m
> trying to avoid.
>
> I tried using a ByteArrayEntity for the POST request:
>
> HttpPost httpPost = new HttpPost(myUri);
> ByteArrayBuilder builder = new ByteArrayBuilder();
> byteArrayBuilder.append("grant_type=password&");
> byteArrayBuilder.append("username=" + username + "&");
> byteArrayBuilder.append("client_id=" + clientId + "&");
> byteArrayBuilder.append("password=" + plaintextPassword);
> byte[] byteArray = byteArrayBuilder.toByteArray();
> httpPost.setEntity(new ByteArrayEntity(byteArray,
> ContentType.APPLICATION_FORM_URLENCODED)); //Set entity using a
> ByteArrayEntity
> closeableHttpClient.execute(httpPost, httpClientResponseHandler);
> //Execute the POST request
> Arrays.fill(byteArray, (byte) 0); //Clear the byte array that
> contains the password
>
> Unfortunately, using a ByteArrayEntity still leaves a plaintext
> password string in my application’s memory, even after clearing
> thebyteArray object.
> The password remnants seem to be created in the HttpClient code.
> Is there a way to clear or empty the request strings used by
> HttpPost?
> Or are there alternative objects in HttpClient that can be used to
> avoid strings like passwords from being retained in memory?
>
Hi Theodore
HttpClient always creates a copy of the original request. This internal
request object mutates in the course of message exchange execution and
has a life cycle of its own separate from that of the original request.
The internal request object also references the original request entity
and therefore keeps it in memory as long as it does not get GCed.
However, once the execution context gets GCed all message exchange
objects including the internal request object should get out of scope
and also get GCed.
What you need to make sure that the execution context is not referenced
longer than necessary.
---
HttpClientContext localContext = ContextBuilder.create()
.build();
HttpGet httpget = new HttpGet("http://httpbin.org/cookies";);
httpclient.execute(httpget, localContext, response -> {
System.out.println("----------------------------------------");
System.out.println(httpget + "->" + new StatusLine(response));
EntityUtils.consume(response.getEntity());
return null;
});
// Message exchange details are still kept in the local context
// until it gets GCed
localContext = null;
---
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org
