You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Jimisola Laursen (Jira)" <ji...@apache.org> on 2021/12/22 16:36:00 UTC

[jira] [Created] (MWRAPPER-46) Simplify use of Maven Wrapper project in different environments

Jimisola Laursen created MWRAPPER-46:
----------------------------------------

             Summary: Simplify use of Maven Wrapper project in different environments
                 Key: MWRAPPER-46
                 URL: https://issues.apache.org/jira/browse/MWRAPPER-46
             Project: Maven Wrapper
          Issue Type: Improvement
    Affects Versions: 3.1.0
            Reporter: Jimisola Laursen


I'll describe our use-case as I suspect that we might not be alone with this one.

This ticket relates to:
 # MVNW_REPOURL being insufficient
 # user not being able to set MVNW_USERNAME/PASSWORD in plain text due security

*Prerequisites:* 
 * _Self-hosted Maven 2 repo that requires basic auth_ (Nexus with proxy for Maven Central)
 * Environments:
 ** Local machine: need to use proxy for Internet, can't set MVNW_USERNAME/PASSWORD in plain text due security
 ** Pipeline/Deployment (k8s): need to use proxy for Internet, MVNW_USERNAME/PASSWORD are set
 * We want to be able to specify wrapper and/or Maven version (hence, use maven-wrapper.properties)

*Use-case:* all downloads, but local and in cluster/cloud, should go via our self-hosted Maven 2 repo that requires basic auth

*Setup cases:*
 # Setting MVNW_REPOURL in both environments causes two problems:
 ## local machine: we would have to set MVNW_USER/PASSWORD (can't due to security risk)
 ## k8s: MVNW_REPOURL environment variable, strangely, doesn't override value in maven-wrapper.properties, but vice versa. Is this really common practise? Compare with e.g. [Spring Boot's Externalized Configuration|https://docs.spring.io/spring-boot/docs/1.2.3.RELEASE/reference/html/boot-features-external-config.html]. So, we would have to either change the base url in the maven-wrapper.properties in k8s explicitly since we want to keep the version information for maven-wrapper and Maven.

 # Changing the urls to the self-hosted repo in maven-wrapper.properties:
 ## local machine: we would have to set MVNW_USER/PASSWORD (can't due to security risk)
 ## k8s: would work since MVNW_USERNAME/PASSWORD are set
 # Having maven-wrapper.jar checked in doesn't solve the issue since Maven itself has to be downloaded as well and basic auth not set.

*Ideas:*
 # be able to use [Password Encryption|https://maven.apache.org/guides/mini/guide-encryption.html] and have password encrypted in settings.xml or in MVNW_PASSWORD: issue of course being that Maven Password Encryption is not available during bootstrapping.
 # change the behavior of MVNW_REPOURL so that it has the highest priority and supersedes defaults in mvnw[.cmd] script as well as in maven-wrapper.properties: at least then we can keep a correct maven-wrapper.properties (w/ self-hosted Maven repo) and set MVNW_REPOURL to Maven Central on local machine for bootstrapping.

*Proposed semi-solution:*
 * Change priority of MVNW_REPOURL or, for backwards compatibility, add another environment variable which supersedes all other settings



--
This message was sent by Atlassian Jira
(v8.20.1#820001)