3.0-alpha7 password decryption log verbosity

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Not A Bug
  • Affects Version/s: None
  • Fix Version/s: None
  • Component/s: None
  • Labels:
    None
  • Complexity:
    Intermediate

Description

The log verbosity of password decryption in 3.0-alpha7 that makes the mvn -X option effectively unusable. The password I've got in my settings.xml file looks like this:

<password>{DESede}y+qq...==</password>

This is an Artifactory setup password and it does work, however mvn -X logs exceptions about it so frequently that it makes -X almost impossible to use. Is there some way I can suppress this behavior through configuration? The exception that it logs over and over again is:

[DEBUG] Failed to decrypt password for server central: org.sonatype.plexus.components.cipher.PlexusCipherException: java.lang.ArrayIndexOutOfBoundsException
org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: org.sonatype.plexus.components.cipher.PlexusCipherException: java.lang.ArrayIndexOutOfBoundsException
...
Caused by: java.lang.ArrayIndexOutOfBoundsException
at java.lang.System.arraycopy(Native Method)
at org.sonatype.plexus.components.cipher.PBECipher.decrypt64(PBECipher.java:175)
... 47 more

Issue Links

is duplicated by

Bug - A problem which impairs or prevents the functions of the product. MNG-4704 Maven 3.0 beta 1 password decryption log verbosity with FileNotFoundException

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Benjamin Bentmann added a comment -

In conformance with Maven Password Encryption, the password you use should be decrypted by Maven but its format is invalid, so the log messages are justified.

AFAICT, the escape mechanism documented on that page is broken, so right now your only option is to either ignore the log messages or encrypt you password properly using Maven.

Show
Benjamin Bentmann added a comment - In conformance with Maven Password Encryption, the password you use should be decrypted by Maven but its format is invalid, so the log messages are justified. AFAICT, the escape mechanism documented on that page is broken, so right now your only option is to either ignore the log messages or encrypt you password properly using Maven.
Hide
Permalink
Yoav Landman added a comment -

If the password escape mechanism is broken, how is it not a bug? There is really nothing "improper" about the password used, and it is currently the only way to centrally enforce security and to have zero client-side password generation or clear text keys on the client.

Show
Yoav Landman added a comment - If the password escape mechanism is broken, how is it not a bug? There is really nothing "improper" about the password used, and it is currently the only way to centrally enforce security and to have zero client-side password generation or clear text keys on the client.
Hide
Permalink
Benjamin Bentmann added a comment -

This issue is about the "log verbosity". The log output is fine, as there is an issue with the password used.

Show
Benjamin Bentmann added a comment - This issue is about the "log verbosity". The log output is fine, as there is an issue with the password used.
Hide
Permalink
Brendan Lawlor added a comment -

I've raised MNG-4626 as a more general but related point. I think the notion of encrypting 'properly' as suggested above is a problem in the first place. The encryption mechanism used by Dale and provided for by Yoav in Artifactory is clearly the sensible approach to password protection in maven, and maven/nexus should really be doing the same thing.

Show
Brendan Lawlor added a comment - I've raised MNG-4626 as a more general but related point. I think the notion of encrypting 'properly' as suggested above is a problem in the first place. The encryption mechanism used by Dale and provided for by Yoav in Artifactory is clearly the sensible approach to password protection in maven, and maven/nexus should really be doing the same thing.

People

  • Assignee:
    Benjamin Bentmann
    Reporter:
    Dale Wyttenbach
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: