A common secure coding practice is to never log passwords. Automated test cases often use passwords to log into applications under test in various environments. In such cases care should be taken to protect and hide passwords from logs, reports, error messages and console outputs.
Gwen masked settings
Gwen masked settings address this concern by making your sensitive data appear as ●●●●●
in all outputs and reports.
To mask the value of a setting named user.password
for example:
- Define it as
user.password\:masked=secret
in your Gwen settings/properties file - Or as
user.password:masked=secret
through the JVM-D
option
Then just reference the setting where you need as user.password
.
Example
When I enter "${user.password}" in the password field
When evaluated, the above will be logged as follows:
When I enter "●●●●●
" in the password field
Note that Gwen will enter the raw unmasked value into input fields and will mask the value in all logged output only. It is your responsibility to only enter sensitive data into fields that themselves mask the raw value so that they are not displayed as clear text on web pages or in captured screenshots.
You can also change the default masking character '●'
by assigning the gwen.mask.char
setting to a different character if desired.