Maven 2.x Webstart Plugin

Allow different pluggable jar signers to be used

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 1.0-alpha-2
  • Component/s: None
  • Labels:
    None
  • Number of attachments :
    6

Description

Allow the use of other Jar Signer methods, not just Java's keytool utility.

I've used the "Mapping Complex Objects" technique on this page: http://maven.apache.org/guides/mini/guide-configuring-plugins.html

SignConfig is now an interface which returns a fully configured version of a Mojo which can sign jar files.

There are 2 modifications required to the pom.xml:
1. <keystore/> section of the configuration has been moved inside the <sign/> tag and renamed <keystoreConfig/>. This makes sense, because deciding whether you want to delete and / or generate a keystore is all part of a particular signing configuration.
2. Instead of just specifying <sign/>, users will need to pick their implementation. To pick the normal keytool method of signature, the user will specify:
<sign implementation="org.codehaus.mojo.webstart.JarSignMojoConfig">
<keystore>...</keystore>
... etc...
</sign>

Unfortunately, I can't think of a way of defaulting this.

The code that I've given you compiles, but breaks some Junit tests. If you could confirm that you're happy with this approach and are happy to commit the changes, I'll then go ahead and sort out the test classes.

By, the way... the way that I can implement my HttpJarSigner in this architecture is very simple indeed. I just create an implementation of SignConfig with an empty init() method and a getJarSigner() method that just returns an instance of my HttpJarSigner with the serviceURL, username and password setup. I then point to it in the pom.xml using:
<sign implementation="com.lehman.HttpJarSigner">
<username>...</username>
<password>...</password>
<serviceURL>...</serviceURL>
</sign>

Note: I don't think that the generation and deletion of Java Keystore files should be part of the maven webstart plugin. If someone really wants a new keystore generated, they can configure the keystore using a different plugin.

Issue Links

This issue supercedes:
MJAR-35 Abstraction for JarSignMojo so that webstart plugin can allow the user to choose how their jars are signed Major Closed
This issue depends upon:
MNG-2293 maven-plugin-descriptor: Not possible to define a default implementation for a field defined by its interface Critical Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Jerome Lacoste added a comment -

MNG-2293 prevents us applying the change without forcing the users to specify the sign implementation in the config.

Show
Jerome Lacoste added a comment - MNG-2293 prevents us applying the change without forcing the users to specify the sign implementation in the config.
Hide
Permalink
David Boden added a comment -

I've created a separate subproject under the webstart-maven-plugin project. This subproject contains only the API that you need to implement in order to be a pluggable jar signer.

I've added the module to the parent pom using:
<module>webstart-jarsigner-api</module>

And I've added a dependency to the plugin's pom:
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>webstart-jarsigner-api</artifactId>
<version>${version}</version>
</dependency>

I will also add patches for the HEAD revision of the plugin to support pluggable jar signing. I've got my pluggable jar signer working here.

Show
David Boden added a comment - I've created a separate subproject under the webstart-maven-plugin project. This subproject contains only the API that you need to implement in order to be a pluggable jar signer. I've added the module to the parent pom using: <module>webstart-jarsigner-api</module> And I've added a dependency to the plugin's pom: <dependency> <groupId>org.codehaus.mojo</groupId> <artifactId>webstart-jarsigner-api</artifactId> <version>${version}</version> </dependency> I will also add patches for the HEAD revision of the plugin to support pluggable jar signing. I've got my pluggable jar signer working here.
Hide
Permalink
Jerome Lacoste added a comment -

2.0.5 seems not too far away (only around 15 issues opened).

David, what is the status on this issue on your side?

Show
Jerome Lacoste added a comment - 2.0.5 seems not too far away (only around 15 issues opened). David, what is the status on this issue on your side?
Hide
Permalink
David Boden added a comment -

Jerome, I'm signing my jar files separately from the WebStart process. It therefore do not require this improvement to be implemented in the next release. However, I feel that it's a valid requirement going forward. Thanks.

Show
David Boden added a comment - Jerome, I'm signing my jar files separately from the WebStart process. It therefore do not require this improvement to be implemented in the next release. However, I feel that it's a valid requirement going forward. Thanks.
Hide
Permalink
Jerome Lacoste added a comment -

This is my work in progress based on the proposed patch + test case. Unfortunately it seems that the fix for MNG-2293 was incomplete. I thus don't want to check this in otherwise everyone is forced to specify the default implementation for the sign config in their pom.xml.

Still missing from the patch:

  • update the src/test/projects/*/pom.xml given the new way of configuring the keystore.
  • update the doc
Show
Jerome Lacoste added a comment - This is my work in progress based on the proposed patch + test case. Unfortunately it seems that the fix for MNG-2293 was incomplete. I thus don't want to check this in otherwise everyone is forced to specify the default implementation for the sign config in their pom.xml. Still missing from the patch:
  • update the src/test/projects/*/pom.xml given the new way of configuring the keystore.
  • update the doc
Hide
Permalink
Kenney Westerhof added a comment -

Jerome, the patch doesn't work - some chunks failed. I don't see how MNG-2293 doesn't work
as it's applied and released in 2.0.5. The unit test in shared/maven-plugin-tools/maven-plugin-tools-java succeeds,
which checks for the implementation parameter.

If you could fix the patch, or give another testcase or sample which doesn't work for you, I'll track it down
and see if it has anything to do with MNG-2293.

Btw, this doesn't seem correct:

/**

  • The Sign Config
    *
  • @parameter implementation="${org.codehaus.mojo.webstart.JarSignMojoConfig}"
    */
    private SignConfig sign;

The ${ and } should be dropped - an interface name shouldn't be evaluated. Right now this means
org.codehaus.mojo.webstart.getJarSignMojoConfig() which cannot be evaluated, and null results.
I think that's why the implementation field is empty in the plugin.xml.

Show
Kenney Westerhof added a comment - Jerome, the patch doesn't work - some chunks failed. I don't see how MNG-2293 doesn't work as it's applied and released in 2.0.5. The unit test in shared/maven-plugin-tools/maven-plugin-tools-java succeeds, which checks for the implementation parameter. If you could fix the patch, or give another testcase or sample which doesn't work for you, I'll track it down and see if it has anything to do with MNG-2293. Btw, this doesn't seem correct: /**
  • The Sign Config *
  • @parameter implementation="${org.codehaus.mojo.webstart.JarSignMojoConfig}" */ private SignConfig sign;
The ${ and } should be dropped - an interface name shouldn't be evaluated. Right now this means org.codehaus.mojo.webstart.getJarSignMojoConfig() which cannot be evaluated, and null results. I think that's why the implementation field is empty in the plugin.xml.
Hide
Permalink
Jerome Lacoste added a comment -

> Jerome, the patch doesn't work - some chunks failed.

Strange I just created it. Will look into that.
[...]

> Btw, this doesn't seem correct:
[...]
> * @parameter implementation="${org.codehaus.mojo.webstart.JarSignMojoConfig}"
[...]
> The ${ and } should be dropped - an interface name shouldn't be evaluated. Right now this means

I had tried the 4 following configurations

@parameter implementation="${org.codehaus.mojo.webstart.JarSignMojoConfig}"
@parameter implementation="org.codehaus.mojo.webstart.JarSignMojoConfig"
@parameter implementation=${org.codehaus.mojo.webstart.JarSignMojoConfig}
@parameter implementation=org.codehaus.mojo.webstart.JarSignMojoConfig

None worked.

But it looks like Dennis last comment on MNG-2293 is on the right track.

Thanks a lot for looking into this.

Show
Jerome Lacoste added a comment - > Jerome, the patch doesn't work - some chunks failed. Strange I just created it. Will look into that. [...] > Btw, this doesn't seem correct: [...] > * @parameter implementation="${org.codehaus.mojo.webstart.JarSignMojoConfig}" [...] > The ${ and } should be dropped - an interface name shouldn't be evaluated. Right now this means I had tried the 4 following configurations @parameter implementation="${org.codehaus.mojo.webstart.JarSignMojoConfig}" @parameter implementation="org.codehaus.mojo.webstart.JarSignMojoConfig" @parameter implementation=${org.codehaus.mojo.webstart.JarSignMojoConfig} @parameter implementation=org.codehaus.mojo.webstart.JarSignMojoConfig None worked. But it looks like Dennis last comment on MNG-2293 is on the right track. Thanks a lot for looking into this.
Hide
Permalink
Jerome Lacoste added a comment -

Committed in rev 3571.

The fix will not work (and the trunk will not build) until 2 dependencies are officialy released: maven-plugin-tools-java 2.1 and maven-plugin-plugin 2.3.

Show
Jerome Lacoste added a comment - Committed in rev 3571. The fix will not work (and the trunk will not build) until 2 dependencies are officialy released: maven-plugin-tools-java 2.1 and maven-plugin-plugin 2.3.

People

Vote (0)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.