Masking sensitive data in your configuration

This tutorial shows how to correctly mask the sensitive data of a component configuration.

It is very common to define credentials when configuring a component. Most common cases can include passwords, secrets, keys (it is also common to show them in plain text in a textarea), and tokens.

For example, this REST client configuration specifies that a username, a password and a token are needed to connect to the REST API:

@Data // or getters/setters if you don't use lombok
@GridLayout({
        @GridLayout.Row({ "username", "password" }),
        @GridLayout.Row("token")
})
public class RestApiConfiguration implements Serializable {

    @Option
    private String username;

    @Option
    private String password;

    @Option
    private String token;
}

This configuration defines that these credentials are three simple String, represented as plain inputs, which causes severe security concerns:

  • The password and token are clearly readable in all Talend user interfaces (Studio or Web),

  • The password and token are potentially stored in clear.

To avoid this behavior, you need to mark sensitive data as @Credential.

Marking sensitive data

Talend Component Kit provides you with the @Credential marker, that you can use on any @Option. This marker has two effects:

  • It Replaces the default input widget by a password oriented widget

  • It Requests the Studio or the Talend Cloud products to store the data as sensitive data (as encrypted values).

In order to ensure that the password and token are never stored in clear or shown in the code, add the @Credential marker to the sensitive data. For example:

@Data // or getters/setters if you don't use lombok
@GridLayout({
        @GridLayout.Row({ "username", "password" }),
        @GridLayout.Row("token")
})
public class RestApiConfiguration implements Serializable {

    @Option
    private String username;

    @Option
    @Credential
    private String password;

    @Option
    @Credential
    private String token;
}

Your password and token (or any other sensitive data that you need to mask) are not accessible by error anymore.

Scroll to top