You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Jimisola Laursen (Jira)" <ji...@apache.org> on 2021/12/22 16:36:00 UTC
[jira] [Created] (MWRAPPER-46) Simplify use of Maven Wrapper project in different environments
Jimisola Laursen created MWRAPPER-46:
----------------------------------------
Summary: Simplify use of Maven Wrapper project in different environments
Key: MWRAPPER-46
URL: https://issues.apache.org/jira/browse/MWRAPPER-46
Project: Maven Wrapper
Issue Type: Improvement
Affects Versions: 3.1.0
Reporter: Jimisola Laursen
I'll describe our use-case as I suspect that we might not be alone with this one.
This ticket relates to:
# MVNW_REPOURL being insufficient
# user not being able to set MVNW_USERNAME/PASSWORD in plain text due security
*Prerequisites:*
* _Self-hosted Maven 2 repo that requires basic auth_ (Nexus with proxy for Maven Central)
* Environments:
** Local machine: need to use proxy for Internet, can't set MVNW_USERNAME/PASSWORD in plain text due security
** Pipeline/Deployment (k8s): need to use proxy for Internet, MVNW_USERNAME/PASSWORD are set
* We want to be able to specify wrapper and/or Maven version (hence, use maven-wrapper.properties)
*Use-case:* all downloads, but local and in cluster/cloud, should go via our self-hosted Maven 2 repo that requires basic auth
*Setup cases:*
# Setting MVNW_REPOURL in both environments causes two problems:
## local machine: we would have to set MVNW_USER/PASSWORD (can't due to security risk)
## k8s: MVNW_REPOURL environment variable, strangely, doesn't override value in maven-wrapper.properties, but vice versa. Is this really common practise? Compare with e.g. [Spring Boot's Externalized Configuration|https://docs.spring.io/spring-boot/docs/1.2.3.RELEASE/reference/html/boot-features-external-config.html]. So, we would have to either change the base url in the maven-wrapper.properties in k8s explicitly since we want to keep the version information for maven-wrapper and Maven.
# Changing the urls to the self-hosted repo in maven-wrapper.properties:
## local machine: we would have to set MVNW_USER/PASSWORD (can't due to security risk)
## k8s: would work since MVNW_USERNAME/PASSWORD are set
# Having maven-wrapper.jar checked in doesn't solve the issue since Maven itself has to be downloaded as well and basic auth not set.
*Ideas:*
# be able to use [Password Encryption|https://maven.apache.org/guides/mini/guide-encryption.html] and have password encrypted in settings.xml or in MVNW_PASSWORD: issue of course being that Maven Password Encryption is not available during bootstrapping.
# change the behavior of MVNW_REPOURL so that it has the highest priority and supersedes defaults in mvnw[.cmd] script as well as in maven-wrapper.properties: at least then we can keep a correct maven-wrapper.properties (w/ self-hosted Maven repo) and set MVNW_REPOURL to Maven Central on local machine for bootstrapping.
*Proposed semi-solution:*
* Change priority of MVNW_REPOURL or, for backwards compatibility, add another environment variable which supersedes all other settings
--
This message was sent by Atlassian Jira
(v8.20.1#820001)