apache · jbertram · May 5, 2026
diff --git a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java
@@ -35,6 +35,7 @@
 import org.apache.activemq.artemis.nativo.jlibaio.LibaioContext;
 import org.apache.activemq.artemis.nativo.jlibaio.LibaioFile;
 import org.apache.activemq.artemis.utils.FileUtil;
+import org.apache.activemq.artemis.utils.PasswordMaskingUtil;
 import picocli.CommandLine.Command;
 import picocli.CommandLine.Option;
 
@@ -444,9 +445,17 @@ private String getClusterUser() {
       return clusterUser;
    }
 
-   private String getClusterPassword() {
+   protected String getClusterPassword() {
       if (clusterPassword == null) {
          clusterPassword = inputPassword("--cluster-password", "What is the cluster password?", "password-admin");
+         try {
+            clusterPassword = PasswordMaskingUtil.wrap(PasswordMaskingUtil.getDefaultCodec().encode(clusterPassword));
+            getActionContext().out.println("Using masked cluster-password: " + clusterPassword);
+         } catch (Exception e) {
+            getActionContext().err.println("Warning: Failed to mask password.");
+            getActionContext().err.println("Reason: " + e.getMessage());
+            e.printStackTrace();
+         }
       }
       return clusterPassword;
    }

diff --git a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/InputAbstract.java b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/InputAbstract.java
@@ -31,13 +31,17 @@ public class InputAbstract extends ActionAbstract {
    private static boolean inputEnabled = false;
 
    /**
-    * Test cases validating or using the CLI cannot deal with inputs, so they are generally disabled, however the main
-    * method from the CLI will enable it back.
+    * Test cases validating or using the CLI usually don't deal with inputs, so they are generally disabled, however
+    * the main method from the CLI will enable it back.
     */
    public static void enableInput() {
       inputEnabled = true;
    }
 
+   public static void disableInput() {
+      inputEnabled = false;
+   }
+
    @Option(names = "--silent", description = "Disable all the inputs, and make a best guess for any required input.")
    private boolean silentInput = false;
 
@@ -145,4 +149,8 @@ public Object execute(ActionContext context) throws Exception {
 
       return null;
    }
+
+   public void setLineReader(InputReader lineReader) {
+      this.lineReader = lineReader;
+   }
 }
diff --git a/.../src/test/java/org/apache/activemq/artemis/cli/commands/CreateTestIndividualSettings.java b/.../src/test/java/org/apache/activemq/artemis/cli/commands/CreateTestIndividualSettings.java
@@ -20,14 +20,20 @@
 import java.io.File;
 import java.io.FileReader;
 import java.io.IOException;
+import java.util.Map;
 
+import org.apache.activemq.artemis.cli.commands.util.input.InputReader;
 import org.apache.activemq.artemis.tests.extensions.TargetTempDirFactory;
+import org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;
+import org.apache.activemq.artemis.utils.PasswordMaskingUtil;
 import org.apache.activemq.artemis.utils.RandomUtil;
 import org.apache.activemq.cli.test.TestActionContext;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
+import org.mockito.Mockito;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
@@ -84,4 +90,38 @@ private boolean fileContains(File file, String search) {
       }
       return false;
    }
+
+   @Test
+   public void testMaskClusterPassword() throws Exception {
+      final String password = RandomUtil.randomUUIDString();
+
+      Create c = new Create();
+      Create.enableInput();
+      try {
+         InputReader inputReader = Mockito.mock(InputReader.class);
+         Mockito.when(inputReader.readPassword(Mockito.anyString())).thenReturn(password);
+         c.setLineReader(inputReader);
+
+         assertEquals(PasswordMaskingUtil.wrap(PasswordMaskingUtil.getDefaultCodec().encode(password)), c.getClusterPassword());
+      } finally {
+         Create.disableInput();
+      }
+   }
+
+   @Test
+   public void testMaskAdminPassword() throws Exception {
+      final String password = RandomUtil.randomUUIDString();
+
+      Create c = new Create();
+      Create.enableInput();
+      try {
+         InputReader inputReader = Mockito.mock(InputReader.class);
+         Mockito.when(inputReader.readPassword(Mockito.anyString())).thenReturn(password);
+         c.setLineReader(inputReader);
+
+         assertTrue(PasswordMaskingUtil.getDefaultCodec(Map.of(DefaultSensitiveStringCodec.ALGORITHM, DefaultSensitiveStringCodec.ONE_WAY)).verify(password.toCharArray(), PasswordMaskingUtil.unwrap(c.getPassword())));
+      } finally {
+         Create.disableInput();
+      }
+   }
 }