Need a way to specify repository credentials securely for deploy operations

Details

Type: Improvement
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 2.4, 2.5
Fix Version/s: None
Component/s: deploy:deploy-file
Labels:
- contributers-welcome
- documentation
Environment:
All

Number of attachments :
0

Description

Currently, credentials for performing a deployment must be specified in the settings.xml. However, if a Maven repository is set to use LDAP for its authentication mechanism, this means exposing domain security credentials in plaintext in a static file on the hard drive and is extremely insecure (as specified in the documentation: "Unfortunately, Maven doesn't currently support hashed or encrypted passwords in the settings.xml"). This is simply not workable in a secure environment, e.g. government, defense, financial, etc.

Instead there should be an option to provide these credentials on the command line or using hash or encryption algorithms.

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Benjamin Bentmann added a comment - 23/Feb/11 9:41 AM

http://maven.apache.org/guides/mini/guide-encryption.html

Show

Benjamin Bentmann added a comment - 23/Feb/11 9:41 AM http://maven.apache.org/guides/mini/guide-encryption.html

Hide

Permalink

Rick Herrick added a comment - 24/Feb/11 9:21 AM

OK, then it'd be nice to have a mention on the page where I found that text that links to this page, so from here to here. The first page makes it pretty definite that there's no way to do this, which is of course belied by the capability described in the second.

And second, I still think this is a valid feature request, since I can't just specify my user credentials on the command line, which is quick and ephemeral and requires no procedure to make work. Something like:

mvn deploy:deploy-file -Dcredentials=foo:bar blah blah blah

This is especially useful in scenarios where a developer may be deploying from an environment where s/he has write permissions on a development tree, but only read permissions on the settings.xml. This usually won't include the personal settings.xml, but again that's a procedure: the ability to just specify credentials on the fly would be much more convenient than a multi-step process.

Show

Rick Herrick added a comment - 24/Feb/11 9:21 AM OK, then it'd be nice to have a mention on the page where I found that text that links to this page, so from here to here . The first page makes it pretty definite that there's no way to do this, which is of course belied by the capability described in the second. And second, I still think this is a valid feature request, since I can't just specify my user credentials on the command line, which is quick and ephemeral and requires no procedure to make work. Something like: mvn deploy:deploy-file -Dcredentials=foo:bar blah blah blah This is especially useful in scenarios where a developer may be deploying from an environment where s/he has write permissions on a development tree, but only read permissions on the settings.xml. This usually won't include the personal settings.xml, but again that's a procedure: the ability to just specify credentials on the fly would be much more convenient than a multi-step process.

Hide

Permalink

Benjamin Bentmann added a comment - 24/Feb/11 9:30 AM

Specifying credentials on the command line seems to contradict the "securely" constrainst, cf. ~~MNG-4841~~, but anyways.

Show

Benjamin Bentmann added a comment - 24/Feb/11 9:30 AM Specifying credentials on the command line seems to contradict the "securely" constrainst, cf. MNG-4841 , but anyways.

Hide

Permalink

Rick Herrick added a comment - 24/Feb/11 9:33 AM

If you close the shell out, the history is gone, at least in Windows, and history can be easily cleared in shell. Certainly better than putting it in plaintext in settings.xml, which is what is prescribed in the main Maven manual.

Show

Rick Herrick added a comment - 24/Feb/11 9:33 AM If you close the shell out, the history is gone, at least in Windows, and history can be easily cleared in shell. Certainly better than putting it in plaintext in settings.xml, which is what is prescribed in the main Maven manual.

Hide

Permalink

Stephen Connolly added a comment - 22/Aug/11 4:29 AM

Which documentation (incorrecty) states that "Maven doesn't currently support hashed or encrypted passwords in the settings.xml". I'd like to get this closed as it seems purely a documentation issue

Show

Stephen Connolly added a comment - 22/Aug/11 4:29 AM Which documentation (incorrecty) states that "Maven doesn't currently support hashed or encrypted passwords in the settings.xml". I'd like to get this closed as it seems purely a documentation issue

Stephen Connolly made changes - 22/Aug/11 4:30 AM

Field	Original Value	New Value
Issue Type	New Feature [ 2 ]	Improvement [ 4 ]
Labels		contributers-welcome documentation
Priority	Major [ 3 ]	Minor [ 4 ]

People

Assignee:

Unassigned

Reporter:

Rick Herrick

Vote (0)

Watch (1)

Dates

Created:

23/Feb/11 9:36 AM

Updated:

22/Aug/11 4:30 AM