Maven 2 & 3
  1. Maven 2 & 3
  2. MNG-553

Secure Storage of Server Passwords

    Details

    • Type: New Feature New Feature
    • Status: Closed Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0-alpha-3
    • Fix Version/s: 2.1.0, 3.0-alpha-3
    • Component/s: Settings
    • Labels:
      None
    • Environment:
      Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
    • Complexity:
      Expert
    • Number of attachments :
      1

      Description

      This was a question pose to the Maven User's Group and it was suggested I add it here.

      It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.

      I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.

      1. MNG-553.patch
        1 kB
        Benjamin Bentmann

        Issue Links

          Activity

          Hide
          Oleg Gusakov added a comment - - edited

          Joerg wrote:

          I did not have a real problem using a plain password in .m2/settings.xml

          This has the same security strength as the added solution, but many people misused settings.xml and kept <servers> section in the public place. This can now be addressed with having a private ~/.m2/sec.xml which contains the encryption key - now the server section can be public, but only people with appropriate key can use it.

          This is also enhanced with the "relocate" feature, which allows to put encryption key to a removable drive, so that multiple people can use the same OS account, but only those with the USB disk can update repositories.

          However, the main problem IMHO was that with effective:pom you were able to display the password and the password was also written into the URLs of a released POM. Does the change address those two problems also?

          help:effective-settings shows encrypted password, I did not check the released POM, but good chances are it also gets stuffed with encrypted password.

          Please let me know if it's not the case

          Show
          Oleg Gusakov added a comment - - edited Joerg wrote: I did not have a real problem using a plain password in .m2/settings.xml This has the same security strength as the added solution, but many people misused settings.xml and kept <servers> section in the public place. This can now be addressed with having a private ~/.m2/sec.xml which contains the encryption key - now the server section can be public, but only people with appropriate key can use it. This is also enhanced with the "relocate" feature, which allows to put encryption key to a removable drive, so that multiple people can use the same OS account, but only those with the USB disk can update repositories. However, the main problem IMHO was that with effective:pom you were able to display the password and the password was also written into the URLs of a released POM. Does the change address those two problems also? help:effective-settings shows encrypted password, I did not check the released POM, but good chances are it also gets stuffed with encrypted password. Please let me know if it's not the case
          Hide
          Oleg Gusakov added a comment - - edited

          Looks like the name sec.xml is too short and may be confusing. Changing for security-settings.xml

          Show
          Oleg Gusakov added a comment - - edited Looks like the name sec.xml is too short and may be confusing. Changing for security-settings.xml
          Hide
          Oleg Gusakov added a comment -

          Final name - settings-security.xml

          I left a snapshot in the trunk in case there are more changes

          Show
          Oleg Gusakov added a comment - Final name - settings-security.xml I left a snapshot in the trunk in case there are more changes
          Hide
          Oleg Gusakov added a comment -

          settings-security.xml - root tag renamed to settingsSecurity

          Show
          Oleg Gusakov added a comment - settings-security.xml - root tag renamed to settingsSecurity
          Hide
          Oleg Gusakov added a comment -

          Done in 2.1.x and 3.0 trunks

          Show
          Oleg Gusakov added a comment - Done in 2.1.x and 3.0 trunks

            People

            • Assignee:
              Oleg Gusakov
              Reporter:
              J. Michael McGarr
            • Votes:
              40 Vote for this issue
              Watchers:
              37 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: