This tutorial shows how to correctly mask the sensitive data of a component configuration.
It is very common to define credentials when configuring a component. Most common cases can include passwords, secrets, keys (it is also common to show them in plain text in a textarea), and tokens.
For example, this REST client configuration specifies that a username, a password and a token are needed to connect to the REST API:
@Data // or getters/setters if you don't use lombok
@GridLayout({
@GridLayout.Row({ "username", "password" }),
@GridLayout.Row("token")
})
public class RestApiConfiguration implements Serializable {
@Option
private String username;
@Option
private String password;
@Option
private String token;
}
This configuration defines that these credentials are three simple String
, represented as plain inputs, which causes severe security concerns:
-
The password and token are clearly readable in all Talend user interfaces (Studio or Web),
-
The password and token are potentially stored in clear.
To avoid this behavior, you need to mark sensitive data as @Credential
.
Marking sensitive data
Talend Component Kit provides you with the @Credential
marker, that you can use
on any @Option
. This marker has two effects:
-
It Replaces the default input widget by a password oriented widget
-
It Requests the Studio or the Talend Cloud products to store the data as sensitive data (as encrypted values).
In order to ensure that the password
and token
are never stored in clear or shown in the code,
add the @Credential
marker to the sensitive data. For example:
@Data // or getters/setters if you don't use lombok
@GridLayout({
@GridLayout.Row({ "username", "password" }),
@GridLayout.Row("token")
})
public class RestApiConfiguration implements Serializable {
@Option
private String username;
@Option
@Credential
private String password;
@Option
@Credential
private String token;
}
Your password and token (or any other sensitive data that you need to mask) are not accessible by error anymore.