You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Eddie Webb (JIRA)" <ji...@codehaus.org> on 2013/01/10 22:02:13 UTC
[jira] (SCM-710) Use of encrypted password in pom.xml confiuration
is ignored
Eddie Webb created SCM-710:
------------------------------
Summary: Use of encrypted password in pom.xml confiuration is ignored
Key: SCM-710
URL: https://jira.codehaus.org/browse/SCM-710
Project: Maven SCM
Issue Type: Bug
Reporter: Eddie Webb
THe docs for this plugin say I can use encrypted passwords just like we do for the release plugin.
It does not seem to support the same <project.scm.id>non-hostname-id</project.scm.id> that the release plugin does, so I included the username and encrypted password directory in the plugin config.
{noformat}
...
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-scm-plugin</artifactId>
<version>1.8.1</version>
<configuration>
<username>username</username>
<password>{EncycptedStringGeneratedFromMvnPassword=}</password>
</configuration>
</plugin>
</plugins>
...
{noformat}
But the SCM fails with authentication issue, and the SVN logs determine that no user ID is sent.
If I instead include the hostname as a server ID in settings.xml, or include these values on the command line, in both cases it invokes a 500 from the application server.
mvn scm:checkout -Pforge -Dusername=myuser -Dpassword={EncycptedStringGeneratedFromMvnPassword=}
svn: Server sent unexpected return value (500 Internal Server Error) in response to OPTIONS request for https://my-svn
This 500 can be duplicated in a browser by passing the un-encrypted string {foo=}.
h3. summary
regardless of where I place the encruypted password it is either ignored, or not decrypted before being sent to the webserver.
Can you please document an example of how to use the encrypted passwords, or support the same approach as the release plugin.
http://jira.codehaus.org/browse/MRELEASE-420
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (SCM-710) Use of encrypted password in pom.xml confiuration
is ignored
Posted by "Eddie Webb (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/SCM-710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=317189#comment-317189 ]
Eddie Webb commented on SCM-710:
--------------------------------
I'll try the solution you mentioned and get back to you.
The reason the latter is so valuable (and I really appreciate you taking a look!!) to us is that we use many different repos on that host, and leverage profiles to provide different teams an easy way to connect. (team A must specify -PteamA in order to get the proper credentials for their repo on the build server) Using the hostname method bypasses the need for profiles and would require a globally authorized ID, and does not enforce the level of separation we prefer.
> Use of encrypted password in pom.xml confiuration is ignored
> ------------------------------------------------------------
>
> Key: SCM-710
> URL: https://jira.codehaus.org/browse/SCM-710
> Project: Maven SCM
> Issue Type: Bug
> Reporter: Eddie Webb
>
> THe docs for this plugin say I can use encrypted passwords just like we do for the release plugin.
> It does not seem to support the same <project.scm.id>non-hostname-id</project.scm.id> that the release plugin does, so I included the username and encrypted password directory in the plugin config.
> {noformat}
> ...
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-scm-plugin</artifactId>
> <version>1.8.1</version>
> <configuration>
> <username>username</username>
> <password>{EncycptedStringGeneratedFromMvnPassword=}</password>
> </configuration>
> </plugin>
> </plugins>
> ...
> {noformat}
> But the SCM fails with authentication issue, and the SVN logs determine that no user ID is sent.
> If I instead include the hostname as a server ID in settings.xml, or include these values on the command line, in both cases it invokes a 500 from the application server.
> mvn scm:checkout -Pforge -Dusername=myuser -Dpassword={EncycptedStringGeneratedFromMvnPassword=}
> svn: Server sent unexpected return value (500 Internal Server Error) in response to OPTIONS request for https://my-svn
> This 500 can be duplicated in a browser by passing the un-encrypted string {foo=}.
> h3. summary
> regardless of where I place the encruypted password it is either ignored, or not decrypted before being sent to the webserver.
> Can you please document an example of how to use the encrypted passwords, or support the same approach as the release plugin.
> http://jira.codehaus.org/browse/MRELEASE-420
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (SCM-710) Use of encrypted password in pom.xml confiuration
is ignored
Posted by "Eddie Webb (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/SCM-710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=317132#comment-317132 ]
Eddie Webb commented on SCM-710:
--------------------------------
Yes, we use the maven release plugin with these encrypted passwords regularly, (setup master password, encrypted all passwords, and added to server section of settings.xml) and have no plain text passwords anywhere. THe issue we are experiencing is unique to the SCM plugin which does not seem to respect the encryption.
> Use of encrypted password in pom.xml confiuration is ignored
> ------------------------------------------------------------
>
> Key: SCM-710
> URL: https://jira.codehaus.org/browse/SCM-710
> Project: Maven SCM
> Issue Type: Bug
> Reporter: Eddie Webb
>
> THe docs for this plugin say I can use encrypted passwords just like we do for the release plugin.
> It does not seem to support the same <project.scm.id>non-hostname-id</project.scm.id> that the release plugin does, so I included the username and encrypted password directory in the plugin config.
> {noformat}
> ...
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-scm-plugin</artifactId>
> <version>1.8.1</version>
> <configuration>
> <username>username</username>
> <password>{EncycptedStringGeneratedFromMvnPassword=}</password>
> </configuration>
> </plugin>
> </plugins>
> ...
> {noformat}
> But the SCM fails with authentication issue, and the SVN logs determine that no user ID is sent.
> If I instead include the hostname as a server ID in settings.xml, or include these values on the command line, in both cases it invokes a 500 from the application server.
> mvn scm:checkout -Pforge -Dusername=myuser -Dpassword={EncycptedStringGeneratedFromMvnPassword=}
> svn: Server sent unexpected return value (500 Internal Server Error) in response to OPTIONS request for https://my-svn
> This 500 can be duplicated in a browser by passing the un-encrypted string {foo=}.
> h3. summary
> regardless of where I place the encruypted password it is either ignored, or not decrypted before being sent to the webserver.
> Can you please document an example of how to use the encrypted passwords, or support the same approach as the release plugin.
> http://jira.codehaus.org/browse/MRELEASE-420
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (SCM-710) Use of encrypted password in pom.xml confiuration
is ignored
Posted by "Robert Scholte (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/SCM-710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=317160#comment-317160 ]
Robert Scholte commented on SCM-710:
------------------------------------
It should be documented somewhere, but I can't find it.
Since there's no id in the scm-section of the pom file, there's another (old) solution by using the host (with optional port) as the id of the server.
{code:xml}
<server>
<id>svn-forge.com</id> <!-- or svn-forge.com:443 -->
<username>cp_lforge_crucible</username>
<password>{EncycptedStringGeneratedFromMvnPassword=}</password>
</server>
{code}
MRELEASE-420 introduced the {{project.scm.id}}-property, to have a more logic solution.
Let me see if I can add that for the scm-plugin as well in a short period of time.
> Use of encrypted password in pom.xml confiuration is ignored
> ------------------------------------------------------------
>
> Key: SCM-710
> URL: https://jira.codehaus.org/browse/SCM-710
> Project: Maven SCM
> Issue Type: Bug
> Reporter: Eddie Webb
>
> THe docs for this plugin say I can use encrypted passwords just like we do for the release plugin.
> It does not seem to support the same <project.scm.id>non-hostname-id</project.scm.id> that the release plugin does, so I included the username and encrypted password directory in the plugin config.
> {noformat}
> ...
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-scm-plugin</artifactId>
> <version>1.8.1</version>
> <configuration>
> <username>username</username>
> <password>{EncycptedStringGeneratedFromMvnPassword=}</password>
> </configuration>
> </plugin>
> </plugins>
> ...
> {noformat}
> But the SCM fails with authentication issue, and the SVN logs determine that no user ID is sent.
> If I instead include the hostname as a server ID in settings.xml, or include these values on the command line, in both cases it invokes a 500 from the application server.
> mvn scm:checkout -Pforge -Dusername=myuser -Dpassword={EncycptedStringGeneratedFromMvnPassword=}
> svn: Server sent unexpected return value (500 Internal Server Error) in response to OPTIONS request for https://my-svn
> This 500 can be duplicated in a browser by passing the un-encrypted string {foo=}.
> h3. summary
> regardless of where I place the encruypted password it is either ignored, or not decrypted before being sent to the webserver.
> Can you please document an example of how to use the encrypted passwords, or support the same approach as the release plugin.
> http://jira.codehaus.org/browse/MRELEASE-420
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (SCM-710) Use of encrypted password in pom.xml confiuration
is ignored
Posted by "Robert Scholte (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/SCM-710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=317126#comment-317126 ]
Robert Scholte commented on SCM-710:
------------------------------------
Have you followed the instructions of http://maven.apache.org/guides/mini/guide-encryption.html ?
Be sure you have a {{settings-security.xml}} with an encrypted master-password.
> Use of encrypted password in pom.xml confiuration is ignored
> ------------------------------------------------------------
>
> Key: SCM-710
> URL: https://jira.codehaus.org/browse/SCM-710
> Project: Maven SCM
> Issue Type: Bug
> Reporter: Eddie Webb
>
> THe docs for this plugin say I can use encrypted passwords just like we do for the release plugin.
> It does not seem to support the same <project.scm.id>non-hostname-id</project.scm.id> that the release plugin does, so I included the username and encrypted password directory in the plugin config.
> {noformat}
> ...
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-scm-plugin</artifactId>
> <version>1.8.1</version>
> <configuration>
> <username>username</username>
> <password>{EncycptedStringGeneratedFromMvnPassword=}</password>
> </configuration>
> </plugin>
> </plugins>
> ...
> {noformat}
> But the SCM fails with authentication issue, and the SVN logs determine that no user ID is sent.
> If I instead include the hostname as a server ID in settings.xml, or include these values on the command line, in both cases it invokes a 500 from the application server.
> mvn scm:checkout -Pforge -Dusername=myuser -Dpassword={EncycptedStringGeneratedFromMvnPassword=}
> svn: Server sent unexpected return value (500 Internal Server Error) in response to OPTIONS request for https://my-svn
> This 500 can be duplicated in a browser by passing the un-encrypted string {foo=}.
> h3. summary
> regardless of where I place the encruypted password it is either ignored, or not decrypted before being sent to the webserver.
> Can you please document an example of how to use the encrypted passwords, or support the same approach as the release plugin.
> http://jira.codehaus.org/browse/MRELEASE-420
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (SCM-710) Use of encrypted password in pom.xml confiuration
is ignored
Posted by "Robert Scholte (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/SCM-710?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Scholte updated SCM-710:
-------------------------------
Component/s: maven-plugin
> Use of encrypted password in pom.xml confiuration is ignored
> ------------------------------------------------------------
>
> Key: SCM-710
> URL: https://jira.codehaus.org/browse/SCM-710
> Project: Maven SCM
> Issue Type: Bug
> Components: maven-plugin
> Reporter: Eddie Webb
>
> THe docs for this plugin say I can use encrypted passwords just like we do for the release plugin.
> It does not seem to support the same <project.scm.id>non-hostname-id</project.scm.id> that the release plugin does, so I included the username and encrypted password directory in the plugin config.
> {noformat}
> ...
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-scm-plugin</artifactId>
> <version>1.8.1</version>
> <configuration>
> <username>username</username>
> <password>{EncycptedStringGeneratedFromMvnPassword=}</password>
> </configuration>
> </plugin>
> </plugins>
> ...
> {noformat}
> But the SCM fails with authentication issue, and the SVN logs determine that no user ID is sent.
> If I instead include the hostname as a server ID in settings.xml, or include these values on the command line, in both cases it invokes a 500 from the application server.
> mvn scm:checkout -Pforge -Dusername=myuser -Dpassword={EncycptedStringGeneratedFromMvnPassword=}
> svn: Server sent unexpected return value (500 Internal Server Error) in response to OPTIONS request for https://my-svn
> This 500 can be duplicated in a browser by passing the un-encrypted string {foo=}.
> h3. summary
> regardless of where I place the encruypted password it is either ignored, or not decrypted before being sent to the webserver.
> Can you please document an example of how to use the encrypted passwords, or support the same approach as the release plugin.
> http://jira.codehaus.org/browse/MRELEASE-420
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (SCM-710) Use of encrypted password in pom.xml confiuration
is ignored
Posted by "Eddie Webb (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/SCM-710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=317125#comment-317125 ]
Eddie Webb commented on SCM-710:
--------------------------------
Update.
I can now verify that the password is passed when using configuration section of the project pom, but does not decrpt the password. Switching between the unencrypted and encrypted password manually resolves the issue. THe same appears to be true if stored in settings.xml using the hostname as the server ID.
> Use of encrypted password in pom.xml confiuration is ignored
> ------------------------------------------------------------
>
> Key: SCM-710
> URL: https://jira.codehaus.org/browse/SCM-710
> Project: Maven SCM
> Issue Type: Bug
> Reporter: Eddie Webb
>
> THe docs for this plugin say I can use encrypted passwords just like we do for the release plugin.
> It does not seem to support the same <project.scm.id>non-hostname-id</project.scm.id> that the release plugin does, so I included the username and encrypted password directory in the plugin config.
> {noformat}
> ...
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-scm-plugin</artifactId>
> <version>1.8.1</version>
> <configuration>
> <username>username</username>
> <password>{EncycptedStringGeneratedFromMvnPassword=}</password>
> </configuration>
> </plugin>
> </plugins>
> ...
> {noformat}
> But the SCM fails with authentication issue, and the SVN logs determine that no user ID is sent.
> If I instead include the hostname as a server ID in settings.xml, or include these values on the command line, in both cases it invokes a 500 from the application server.
> mvn scm:checkout -Pforge -Dusername=myuser -Dpassword={EncycptedStringGeneratedFromMvnPassword=}
> svn: Server sent unexpected return value (500 Internal Server Error) in response to OPTIONS request for https://my-svn
> This 500 can be duplicated in a browser by passing the un-encrypted string {foo=}.
> h3. summary
> regardless of where I place the encruypted password it is either ignored, or not decrypted before being sent to the webserver.
> Can you please document an example of how to use the encrypted passwords, or support the same approach as the release plugin.
> http://jira.codehaus.org/browse/MRELEASE-420
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (SCM-710) Use of encrypted password in pom.xml confiuration
is ignored
Posted by "Eddie Webb (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/SCM-710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=317125#comment-317125 ]
Eddie Webb edited comment on SCM-710 at 1/10/13 3:45 PM:
---------------------------------------------------------
Update.
I can now verify that the password is passed when using configuration section of the project pom, but does not decrypt the password. Switching between the unencrypted and encrypted password manually resolves the issue. THe same appears to be true if stored in settings.xml using the hostname as the server ID.
encrypted password in pom.xml
{noformat}
[INFO] Executing: /bin/sh -c cd /opt/lforge/testing/bootstrap/target && svn --username cp_lforge_crucible --password '*****' --no-auth-cache --non-interactive checkout https://svn-forge.com/svn/FORGE/maven/repository/bootstrap/trunk /opt/lforge/testing/bootstrap/target/checkout
[INFO] Working directory: /opt/lforge/testing/bootstrap/target
[ERROR] Provider message:
[ERROR] The svn command failed.
[ERROR] Command output:
[ERROR] svn: OPTIONS of 'https://svn-forge.com/svn/FORGE/maven/repository/bootstrap/trunk': authorization failed (https://svn-forge.com)
{noformat}
plain-text password in pom.xml
{noformat}
[scm:checkout {execution: default-cli}]
[INFO] Removing /opt/lforge/testing/target/checkout
[INFO] Executing: /bin/sh -c cd /opt/lforge/testing/target && svn --username cp_lforge_crucible --password '*****' --no-auth-cache --non-interactive checkout https://svn-forge.com/svn/FORGE/maven/repository/bootstrap/trunk /opt/lforge/testing/target/checkout
[INFO] Working directory: /opt/lforge/testing/target
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESSFUL
[INFO] ------------------------------------------------------------------------
{noformat}
was (Author: eddiewebb):
Update.
I can now verify that the password is passed when using configuration section of the project pom, but does not decrpt the password. Switching between the unencrypted and encrypted password manually resolves the issue. THe same appears to be true if stored in settings.xml using the hostname as the server ID.
> Use of encrypted password in pom.xml confiuration is ignored
> ------------------------------------------------------------
>
> Key: SCM-710
> URL: https://jira.codehaus.org/browse/SCM-710
> Project: Maven SCM
> Issue Type: Bug
> Reporter: Eddie Webb
>
> THe docs for this plugin say I can use encrypted passwords just like we do for the release plugin.
> It does not seem to support the same <project.scm.id>non-hostname-id</project.scm.id> that the release plugin does, so I included the username and encrypted password directory in the plugin config.
> {noformat}
> ...
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-scm-plugin</artifactId>
> <version>1.8.1</version>
> <configuration>
> <username>username</username>
> <password>{EncycptedStringGeneratedFromMvnPassword=}</password>
> </configuration>
> </plugin>
> </plugins>
> ...
> {noformat}
> But the SCM fails with authentication issue, and the SVN logs determine that no user ID is sent.
> If I instead include the hostname as a server ID in settings.xml, or include these values on the command line, in both cases it invokes a 500 from the application server.
> mvn scm:checkout -Pforge -Dusername=myuser -Dpassword={EncycptedStringGeneratedFromMvnPassword=}
> svn: Server sent unexpected return value (500 Internal Server Error) in response to OPTIONS request for https://my-svn
> This 500 can be duplicated in a browser by passing the un-encrypted string {foo=}.
> h3. summary
> regardless of where I place the encruypted password it is either ignored, or not decrypted before being sent to the webserver.
> Can you please document an example of how to use the encrypted passwords, or support the same approach as the release plugin.
> http://jira.codehaus.org/browse/MRELEASE-420
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (SCM-710) Use of encrypted password in pom.xml confiuration
is ignored
Posted by "Eddie Webb (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/SCM-710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=317132#comment-317132 ]
Eddie Webb edited comment on SCM-710 at 1/10/13 4:44 PM:
---------------------------------------------------------
Yes, we use the maven release plugin with these encrypted passwords regularly, (setup master password, encrypted all passwords, and added to server section of settings.xml) and have no plain text passwords anywhere. This has been working for several months now.
THe issue we are experiencing is unique to the SCM plugin which does not seem to respect the encryption. The use case is that I am bootstrapping a project by programatically plopping a pom.xml on the server, and invoking
mvn scm:checkout
was (Author: eddiewebb):
Yes, we use the maven release plugin with these encrypted passwords regularly, (setup master password, encrypted all passwords, and added to server section of settings.xml) and have no plain text passwords anywhere. THe issue we are experiencing is unique to the SCM plugin which does not seem to respect the encryption.
> Use of encrypted password in pom.xml confiuration is ignored
> ------------------------------------------------------------
>
> Key: SCM-710
> URL: https://jira.codehaus.org/browse/SCM-710
> Project: Maven SCM
> Issue Type: Bug
> Reporter: Eddie Webb
>
> THe docs for this plugin say I can use encrypted passwords just like we do for the release plugin.
> It does not seem to support the same <project.scm.id>non-hostname-id</project.scm.id> that the release plugin does, so I included the username and encrypted password directory in the plugin config.
> {noformat}
> ...
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-scm-plugin</artifactId>
> <version>1.8.1</version>
> <configuration>
> <username>username</username>
> <password>{EncycptedStringGeneratedFromMvnPassword=}</password>
> </configuration>
> </plugin>
> </plugins>
> ...
> {noformat}
> But the SCM fails with authentication issue, and the SVN logs determine that no user ID is sent.
> If I instead include the hostname as a server ID in settings.xml, or include these values on the command line, in both cases it invokes a 500 from the application server.
> mvn scm:checkout -Pforge -Dusername=myuser -Dpassword={EncycptedStringGeneratedFromMvnPassword=}
> svn: Server sent unexpected return value (500 Internal Server Error) in response to OPTIONS request for https://my-svn
> This 500 can be duplicated in a browser by passing the un-encrypted string {foo=}.
> h3. summary
> regardless of where I place the encruypted password it is either ignored, or not decrypted before being sent to the webserver.
> Can you please document an example of how to use the encrypted passwords, or support the same approach as the release plugin.
> http://jira.codehaus.org/browse/MRELEASE-420
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira