Protecting Sensitive Data with Gwen

A common secure coding practice is to never log passwords. Automated test cases often use passwords to log into applications under test in various environments. In such cases care should be taken to protect and hide passwords from logs, reports, error messages and console outputs.

Gwen masked settings

Gwen masked settings address this concern by making your sensitive data appear as ●●●●● in all outputs and reports.

To mask the value of a setting named user.password for example:

  • Define it as user.password\:masked=secret in your Gwen settings/properties file
  • Or as user.password:masked=secret through the JVM -D option

Then just reference the setting where you need as user.password .


When I enter "${user.password}" in the password field

When evaluated, the above will be logged as follows:

When I enter "●●●●●" in the password field

Note that Gwen will mask sensitive data in all outputs but it is still your responsibility to only enter sensitive data into protected inputs, such as fields that themselves mask the raw value so that they are not displayed as clear text on web pages or in captured screenshots.

You can also change the default masking character '●' by assigning the gwen.mask.char setting to a different character if desired.