This is a follow-up to the SECURITY-1279, SECURITY-1458, SECURITY-1497 fixes in JCasC 1.25 and 1.27. Although these fixes provide a decent level of security for attributes where Secret is somehow referenced in plugin APIs, there is still a gap for plugins which do not use Secret API at all. If passwords are stored in plain text (like in plugins references in this advisory) and retrieved as Strings in API, there is nothing JCasC can do about it at the moment. It makes JCasC use-cases impacted by vulnerabilities in other plugins.

This change...

• Introduces an additional security hardening layer where sensitive AND not encrypted attributes are masked by default in system logs and configuration exports. Secret exports are encrypted, and nothing changes there
• Adds new API which allow Attributes to indicate that a field is encrypted
• Fixes a regression in ProxyConfigurator which is caused by the changes. It demonstrates the use of new APIs

Your checklist for this pull request

🚨 Please review the guidelines for contributing to this repository.

• Make sure you are requesting to pull a topic/feature/bugfix branch (right side) and not your master branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or in Jenkins JIRA
• Link to relevant pull requests, esp. upstream and downstream changes
• Did you provide a test-case? That demonstrates feature works or fixes the issue.