A common secure coding practice is to never log passwords. Automated test cases often use passwords to log into applications under test in various environments. In such cases care should be taken to protect and hide passwords from logs, reports, error messages and console outputs.
Gwen masked settings
Gwen masked settings address this concern by making your sensitive data appear as ●●●●●
in all outputs and reports.
To mask the value of a setting named user.password
for example:
- Define it as
user.password\:masked=secret
in your Gwen settings/properties file - Or as
user.password:masked=secret
through the JVM-D
option
Then just reference the setting where you need as user.password
.
Example
When I enter "${user.password}" in the password field
When evaluated, the above will be logged as follows:
When I enter "●●●●●
" in the password field
Note that Gwen will mask sensitive data in all outputs but it is still your responsibility to only enter sensitive data into protected inputs, such as fields that themselves mask the raw value so that they are not displayed as clear text on web pages or in captured screenshots.
You can also change the default masking character '●'
by assigning the gwen.mask.char
setting to a different character if desired.