Mask your configuration sensitive data

In this tutorial we will see how to ensure the sensitive data of a component configuration is correctly handled.

The component configuration

It is very common to define credentials in a component configuration. Most known use cases will be:

  1. Passwords,

  2. Secrets,

  3. Potentially keys (it is also common to show them in plain text in a textarea),

  4. Tokens

To illustrate that we will use a REST client configuration which takes a username, password and token to connect to the REST API:

@Data // or getters/setters if you don't use lombok
@GridLayout({
        @GridLayout.Row({ "username", "password" }),
        @GridLayout.Row("token")
})
public class RestApiConfiguration implements Serializable {

    @Option
    private String username;

    @Option
    private String password;

    @Option
    private String token;
}

This simple configuration defines three String without any specific widget so they will be represented as plain inputs.

There are two major consequences you probably want to avoid:

  1. The password and token will be clearly readable in all Talend user interfaces (Studio or Web),

  2. The password and token will be potentially stored in clear.

Mark sensitive data

To solve that, Talend Component Kit provides you @Credential marker you can use on any @Option. This marker will have two effects:

  1. Replace the default input widget by a password oriented one (See widgets gallery for screenshots),

  2. Request the Studio or the Talend Cloud products to store the data as sensitive data (as encrypted values).

To ensure our password and token are never stored in clear or shown in the code we migrate our previous model to the following one:

@Data // or getters/setters if you don't use lombok
@GridLayout({
        @GridLayout.Row({ "username", "password" }),
        @GridLayout.Row("token")
})
public class RestApiConfiguration implements Serializable {

    @Option
    private String username;

    @Option
    @Credential
    private String password;

    @Option
    @Credential
    private String token;
}

And that it is! Now your password and token will not be accessible by error anymore :).

Scroll to top