Maven Deploy Plugin
  1. Maven Deploy Plugin
  2. MDEPLOY-129

Need a way to specify repository credentials securely for deploy operations

    Details

    • Number of attachments :
      0

      Description

      Currently, credentials for performing a deployment must be specified in the settings.xml. However, if a Maven repository is set to use LDAP for its authentication mechanism, this means exposing domain security credentials in plaintext in a static file on the hard drive and is extremely insecure (as specified in the documentation: "Unfortunately, Maven doesn't currently support hashed or encrypted passwords in the settings.xml"). This is simply not workable in a secure environment, e.g. government, defense, financial, etc.

      Instead there should be an option to provide these credentials on the command line or using hash or encryption algorithms.

        Activity

        Show
        Benjamin Bentmann added a comment - http://maven.apache.org/guides/mini/guide-encryption.html
        Hide
        Rick Herrick added a comment -

        OK, then it'd be nice to have a mention on the page where I found that text that links to this page, so from here to here. The first page makes it pretty definite that there's no way to do this, which is of course belied by the capability described in the second.

        And second, I still think this is a valid feature request, since I can't just specify my user credentials on the command line, which is quick and ephemeral and requires no procedure to make work. Something like:

        mvn deploy:deploy-file -Dcredentials=foo:bar blah blah blah

        This is especially useful in scenarios where a developer may be deploying from an environment where s/he has write permissions on a development tree, but only read permissions on the settings.xml. This usually won't include the personal settings.xml, but again that's a procedure: the ability to just specify credentials on the fly would be much more convenient than a multi-step process.

        Show
        Rick Herrick added a comment - OK, then it'd be nice to have a mention on the page where I found that text that links to this page, so from here to here . The first page makes it pretty definite that there's no way to do this, which is of course belied by the capability described in the second. And second, I still think this is a valid feature request, since I can't just specify my user credentials on the command line, which is quick and ephemeral and requires no procedure to make work. Something like: mvn deploy:deploy-file -Dcredentials=foo:bar blah blah blah This is especially useful in scenarios where a developer may be deploying from an environment where s/he has write permissions on a development tree, but only read permissions on the settings.xml. This usually won't include the personal settings.xml, but again that's a procedure: the ability to just specify credentials on the fly would be much more convenient than a multi-step process.
        Hide
        Benjamin Bentmann added a comment -

        Specifying credentials on the command line seems to contradict the "securely" constrainst, cf. MNG-4841, but anyways.

        Show
        Benjamin Bentmann added a comment - Specifying credentials on the command line seems to contradict the "securely" constrainst, cf. MNG-4841 , but anyways.
        Hide
        Rick Herrick added a comment -

        If you close the shell out, the history is gone, at least in Windows, and history can be easily cleared in shell. Certainly better than putting it in plaintext in settings.xml, which is what is prescribed in the main Maven manual.

        Show
        Rick Herrick added a comment - If you close the shell out, the history is gone, at least in Windows, and history can be easily cleared in shell. Certainly better than putting it in plaintext in settings.xml, which is what is prescribed in the main Maven manual.
        Hide
        Stephen Connolly added a comment -

        Which documentation (incorrecty) states that "Maven doesn't currently support hashed or encrypted passwords in the settings.xml". I'd like to get this closed as it seems purely a documentation issue

        Show
        Stephen Connolly added a comment - Which documentation (incorrecty) states that "Maven doesn't currently support hashed or encrypted passwords in the settings.xml". I'd like to get this closed as it seems purely a documentation issue
        Hide
        Robert Scholte added a comment -

        The quote that encrypted passwords are not supported by Maven could be found here:
        http://maven.apache.org/plugins-archives/maven-deploy-plugin-2.5/usage.html
        For next versions of the maven-deploy-plugin this has been rewritten, so it is not an issue anymore.

        Show
        Robert Scholte added a comment - The quote that encrypted passwords are not supported by Maven could be found here: http://maven.apache.org/plugins-archives/maven-deploy-plugin-2.5/usage.html For next versions of the maven-deploy-plugin this has been rewritten, so it is not an issue anymore.

          People

          • Assignee:
            Robert Scholte
            Reporter:
            Rick Herrick
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: