Hello,
I'm using HttpClient 5.2.1 for my application, specifically the HttpPost object
to send a POST request and authenticate to an OAuth2.0 server using
grant_type=password.
Since grant_type=password requires a plaintext password, sending the POST
request leaves the password in my application's memory (confirmed using
profiling tools such as ProcessHacker), which I'm trying to avoid.
I tried using a ByteArrayEntity for the POST request:
HttpPost httpPost = new HttpPost(myUri);
ByteArrayBuilder builder = new ByteArrayBuilder();
byteArrayBuilder.append("grant_type=password&");
byteArrayBuilder.append("username=" + username + "&");
byteArrayBuilder.append("client_id=" + clientId + "&");
byteArrayBuilder.append("password=" + plaintextPassword);
byte[] byteArray = byteArrayBuilder.toByteArray();
httpPost.setEntity(new ByteArrayEntity(byteArray,
ContentType.APPLICATION_FORM_URLENCODED)); //Set entity using a ByteArrayEntity
closeableHttpClient.execute(httpPost, httpClientResponseHandler); //Execute the
POST request
Arrays.fill(byteArray, (byte) 0); //Clear the byte array that contains the
password
Unfortunately, using a ByteArrayEntity still leaves a plaintext password string
in my application's memory, even after clearing the byteArray object.
The password remnants seem to be created in the HttpClient code.
Is there a way to clear or empty the request strings used by HttpPost?
Or are there alternative objects in HttpClient that can be used to avoid
strings like passwords from being retained in memory?
Thank you.
Theodore Tan|
Senior Software Developer
[email protected]
ITRS
Internet communications are not secure and therefore the ITRS Group does not
accept legal responsibility for the contents of this message. Any view or
opinions presented are solely those of the author and do not necessarily
represent those of the ITRS Group unless otherwise specifically stated.
[itrs.email.signature]
