Secret Strings/en

From expecco Wiki (Version 2.x)
(Redirected from Secret Strings)
Jump to navigation Jump to search

During execution, strings might be needed or generated which should not be shown in the activity log or in the final report. Examples for such are passwords as entered by the operator or cryptographic keys as used temporarily.

Secret Values[edit]

Any object can be given a "secret" attribute via the Smalltalk expression:

someValue beSecret:true

or in JavaScript:

someValue.beSecret(true)

that is an attribute of the object (i.e. the String or ByteArray), and will be preserved and remain persistently attached to the object as it gets passed to other pins or actions.

The activity logger and other expecco tools will not show the real value of objects marked as being secret. However, as the datum is actually physically present somewhere in memory, a knowledgable user may be able to recover the original value while expecco is running. Thus, this does not provide 100% security; it does however prevent those values from being exposed by accident eg. in a report or while looking at an activity log.

There is a minor restriction in that numbers and booleans cannot be marked as secret (because these are implemented as singletons in the underlying runtime system). In that case, you should pass the printed string marked as secret if required.

The PasswordString Datatype[edit]

By declaring the datatype of an output pin as PasswordString, the value written to the pin will get the secret attribute.

Secret Variables[edit]

If a variable (an expecco environment variable) is declared as being initialized as secret or secret from user, it will also be marked as such.



Copyright © 2014-2020 eXept Software AG