Protecting Sensitive Data with Gwen

A common secure coding practice is to never log passwords. Automated test cases often use passwords to log into applications under test in various environments. In such cases care should be taken to protect and hide passwords from logs, reports, error messages and console outputs.

Gwen masked settings

Gwen masked settings address this concern by making your sensitive data appear as ●●●●● in all outputs and reports.

To mask the value of a setting named user.password for example:

  • Define it as user.password\:masked=secret in your Gwen settings/properties file
  • Or as user.password:masked=secret through the JVM -D option

Then just reference the setting where you need as user.password .


When I enter "${user.password}" in the password field

When evaluated, the above will be logged as follows:

When I enter "●●●●●" in the password field

Note that Gwen will mask sensitive data in all outputs but it is still your responsibility to only enter sensitive data into protected inputs, such as fields that themselves mask the raw value so that they are not displayed as clear text on web pages or in captured screenshots.

You can also change the default masking character '●' by assigning the gwen.mask.char setting to a different character if desired.

Published by

Branko Juric

Imperative by day and functional by night. Co author of the Gwen automation platform.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s