Package hudson.util

Class Secret

All Implemented Interfaces:

public final class Secret extends Object implements Serializable
Glorified String that uses encryption in the persisted form, to avoid accidental exposure of a secret.

This is not meant as a protection against code running in the same VM, nor against an attacker who has local file system access on Jenkins master.

Secrets can correctly read-in plain text password, so this allows the existing String field to be updated to Secret.

Kohsuke Kawaguchi
See Also:
  • Field Details


      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public static final Pattern ENCRYPTED_VALUE_PATTERN
      Pattern matching a possible output of getEncryptedValue() Basically, any Base64-encoded value optionally wrapped by {}. You must then call decrypt(String) to eliminate false positives.
      See Also:

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public static final boolean AUTO_ENCRYPT_PASSWORD_CONTROL

      @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public static boolean BLANK_NONSECRET_PASSWORD_FIELDS_WITHOUT_ITEM_CONFIGURE
  • Method Details

    • toString

      @Deprecated public String toString()
      as of 1.356 Use toString(Secret) to avoid NPE in case Secret is null. Or if you really know what you are doing, use the getPlainText() method.
      Obtains the secret in a plain text.
      toString in class Object
      See Also:
    • getPlainText

      @NonNull public String getPlainText()
      Obtains the plain text password. Before using this method, ask yourself if you'd be better off using toString(Secret) to avoid NPE.
    • equals

      public boolean equals(Object that)
      equals in class Object
    • hashCode

      public int hashCode()
      hashCode in class Object
    • getEncryptedValue

      public String getEncryptedValue()
      Encrypts value and returns it in an encoded printable form.
      See Also:
    • decrypt

      @CheckForNull public static Secret decrypt(@CheckForNull String data)
      Reverse operation of getEncryptedValue(). Returns null if the given cipher text was invalid.
    • getCipher

      public static Cipher getCipher(String algorithm) throws GeneralSecurityException
      Workaround for JENKINS-6459 / GLASSFISH-11862 This method uses specific provider selected via hudson.util.Secret.provider system property to provide a workaround for the above bug where default provide gives an unusable instance. (Glassfish Enterprise users should set value of this property to "SunJCE")
    • fromString

      @NonNull public static Secret fromString(@CheckForNull String data)
      Attempts to treat the given string first as a cipher text, and if it doesn't work, treat the given string as the unencrypted secret value.

      Useful for recovering a value from a form field.

    • toString

      @NonNull public static String toString(@CheckForNull Secret s)
      Works just like toString() but avoids NPE when the secret is null. To be consistent with fromString(String), this method doesn't distinguish empty password and null password.