hudson.util

Class Secret

java.lang.Object

hudson.util.Secret

All Implemented Interfaces:

Serializable

public final class Secret
extends Object
implements Serializable

Glorified String that uses encryption in the persisted form, to avoid accidental exposure of a secret.

This is not meant as a protection against code running in the same VM, nor against an attacker who has local file system access on Jenkins master.

Secrets can correctly read-in plain text password, so this allows the existing String field to be updated to Secret.

Author:

Kohsuke Kawaguchi

See Also:

Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	Secret.ConverterImpl

Field Summary

Fields

Modifier and Type	Field and Description
static boolean	AUTO_ENCRYPT_PASSWORD_CONTROL
static boolean	BLANK_NONSECRET_PASSWORD_FIELDS_WITHOUT_ITEM_CONFIGURE
static Pattern	ENCRYPTED_VALUE_PATTERN Pattern matching a possible output of getEncryptedValue() Basically, any Base64-encoded value optionally wrapped by {}.

Method Summary

Modifier and Type	Method and Description
static Secret	decrypt(String data) Reverse operation of getEncryptedValue().
boolean	equals(Object that)
static Secret	fromString(String data) Attempts to treat the given string first as a cipher text, and if it doesn't work, treat the given string as the unencrypted secret value.
static Cipher	getCipher(String algorithm) Workaround for JENKINS-6459 / http://java.net/jira/browse/GLASSFISH-11862 This method uses specific provider selected via hudson.util.Secret.provider system property to provide a workaround for the above bug where default provide gives an unusable instance.
String	getEncryptedValue() Encrypts value and returns it in an encoded printable form.
String	getPlainText() Obtains the plain text password.
int	hashCode()
String	toString() Deprecated. as of 1.356 Use toString(Secret) to avoid NPE in case Secret is null. Or if you really know what you are doing, use the getPlainText() method.
static String	toString(Secret s) Works just like toString() but avoids NPE when the secret is null.

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

ENCRYPTED_VALUE_PATTERN

@Restricted(value=org.kohsuke.accmod.restrictions.NoExternalUse.class)
public static final Pattern ENCRYPTED_VALUE_PATTERN

Pattern matching a possible output of getEncryptedValue() Basically, any Base64-encoded value optionally wrapped by {}. You must then call decrypt(String) to eliminate false positives.

See Also:

ENCRYPTED_VALUE_PATTERN

AUTO_ENCRYPT_PASSWORD_CONTROL

@Restricted(value=org.kohsuke.accmod.restrictions.NoExternalUse.class)
public static final boolean AUTO_ENCRYPT_PASSWORD_CONTROL

BLANK_NONSECRET_PASSWORD_FIELDS_WITHOUT_ITEM_CONFIGURE

@Restricted(value=org.kohsuke.accmod.restrictions.NoExternalUse.class)
public static boolean BLANK_NONSECRET_PASSWORD_FIELDS_WITHOUT_ITEM_CONFIGURE

Method Detail

toString

@Deprecated
public String toString()

Deprecated. as of 1.356 Use toString(Secret) to avoid NPE in case Secret is null. Or if you really know what you are doing, use the getPlainText() method.

Obtains the secret in a plain text.

Overrides:

toString in class Object

See Also:

getEncryptedValue()

getPlainText

@NonNull
public String getPlainText()

Obtains the plain text password. Before using this method, ask yourself if you'd be better off using toString(Secret) to avoid NPE.

equals

public boolean equals(Object that)

Overrides:

equals in class Object

hashCode

public int hashCode()

Overrides:

hashCode in class Object

getEncryptedValue

public String getEncryptedValue()

Encrypts value and returns it in an encoded printable form.

See Also:

toString()

decrypt

@CheckForNull
public static Secret decrypt(@CheckForNull
                                           String data)

Reverse operation of getEncryptedValue(). Returns null if the given cipher text was invalid.

getCipher

public static Cipher getCipher(String algorithm)
                        throws GeneralSecurityException

Workaround for JENKINS-6459 / http://java.net/jira/browse/GLASSFISH-11862 This method uses specific provider selected via hudson.util.Secret.provider system property to provide a workaround for the above bug where default provide gives an unusable instance. (Glassfish Enterprise users should set value of this property to "SunJCE")

Throws:

GeneralSecurityException

fromString

@NonNull
public static Secret fromString(@CheckForNull
                                         String data)

Attempts to treat the given string first as a cipher text, and if it doesn't work, treat the given string as the unencrypted secret value.

Useful for recovering a value from a form field.

toString

@NonNull
public static String toString(@CheckForNull
                                       Secret s)

Works just like toString() but avoids NPE when the secret is null. To be consistent with fromString(String), this method doesn't distinguish empty password and null password.