Package hudson.util

Class Secret

  • All Implemented Interfaces:
    Serializable

    public final class Secret
    extends Object
    implements Serializable
    Glorified String that uses encryption in the persisted form, to avoid accidental exposure of a secret.

    This is not meant as a protection against code running in the same VM, nor against an attacker who has local file system access on Jenkins master.

    Secrets can correctly read-in plain text password, so this allows the existing String field to be updated to Secret.

    Author:
    Kohsuke Kawaguchi
    See Also:
    Serialized Form
    • Field Detail

      • ENCRYPTED_VALUE_PATTERN

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public static final Pattern ENCRYPTED_VALUE_PATTERN
        Pattern matching a possible output of getEncryptedValue() Basically, any Base64-encoded value optionally wrapped by {}. You must then call decrypt(String) to eliminate false positives.
        See Also:
        ENCRYPTED_VALUE_PATTERN
      • AUTO_ENCRYPT_PASSWORD_CONTROL

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public static final boolean AUTO_ENCRYPT_PASSWORD_CONTROL
      • BLANK_NONSECRET_PASSWORD_FIELDS_WITHOUT_ITEM_CONFIGURE

        @Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
        public static boolean BLANK_NONSECRET_PASSWORD_FIELDS_WITHOUT_ITEM_CONFIGURE
    • Method Detail

      • getPlainText

        @NonNull
        public String getPlainText()
        Obtains the plain text password. Before using this method, ask yourself if you'd be better off using toString(Secret) to avoid NPE.
      • hashCode

        public int hashCode()
        Overrides:
        hashCode in class Object
      • getEncryptedValue

        public String getEncryptedValue()
        Encrypts value and returns it in an encoded printable form.
        See Also:
        toString()
      • decrypt

        @CheckForNull
        public static Secret decrypt​(@CheckForNull
                                     String data)
        Reverse operation of getEncryptedValue(). Returns null if the given cipher text was invalid.
      • getCipher

        public static Cipher getCipher​(String algorithm)
                                throws GeneralSecurityException
        Workaround for JENKINS-6459 / GLASSFISH-11862 This method uses specific provider selected via hudson.util.Secret.provider system property to provide a workaround for the above bug where default provide gives an unusable instance. (Glassfish Enterprise users should set value of this property to "SunJCE")
        Throws:
        GeneralSecurityException
      • fromString

        @NonNull
        public static Secret fromString​(@CheckForNull
                                        String data)
        Attempts to treat the given string first as a cipher text, and if it doesn't work, treat the given string as the unencrypted secret value.

        Useful for recovering a value from a form field.

      • toString

        @NonNull
        public static String toString​(@CheckForNull
                                      Secret s)
        Works just like toString() but avoids NPE when the secret is null. To be consistent with fromString(String), this method doesn't distinguish empty password and null password.