You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Dale Wyttenbach (JIRA)" <ji...@codehaus.org> on 2010/03/26 16:16:23 UTC

[jira] Created: (MNG-4611) 3.0-alpha7 password decryption log verbosity

3.0-alpha7 password decryption log verbosity
--------------------------------------------

                 Key: MNG-4611
                 URL: http://jira.codehaus.org/browse/MNG-4611
             Project: Maven 2 & 3
          Issue Type: Bug
            Reporter: Dale Wyttenbach


The log verbosity of password decryption in 3.0-alpha7 that makes the mvn -X option effectively unusable.  The password I've got in my settings.xml file looks like this: 

            <password>{DESede}y+qq...==</password> 

This is an Artifactory setup password and it does work, however mvn -X logs exceptions about it so frequently that it makes -X almost impossible to use.  Is there some way I can suppress this behavior through configuration?  The exception that it logs over and over again is: 

[DEBUG] Failed to decrypt password for server central: org.sonatype.plexus.components.cipher.PlexusCipherException: java.lang.ArrayIndexOutOfBoundsException 
org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: org.sonatype.plexus.components.cipher.PlexusCipherException: java.lang.ArrayIndexOutOfBoundsException 
... 
Caused by: java.lang.ArrayIndexOutOfBoundsException 
        at java.lang.System.arraycopy(Native Method) 
        at org.sonatype.plexus.components.cipher.PBECipher.decrypt64(PBECipher.java:175) 
        ... 47 more 


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (MNG-4611) 3.0-alpha7 password decryption log verbosity

Posted by "Yoav Landman (JIRA)" <ji...@codehaus.org>.

    [ http://jira.codehaus.org/browse/MNG-4611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=216993#action_216993 ] 

Yoav Landman commented on MNG-4611:
-----------------------------------

If the password escape mechanism is broken, how is it not a bug? There is really nothing "improper" about the password used, and it is currently the only way to centrally enforce security and to have zero client-side password generation or clear text keys on the client.

> 3.0-alpha7 password decryption log verbosity
> --------------------------------------------
>
>                 Key: MNG-4611
>                 URL: http://jira.codehaus.org/browse/MNG-4611
>             Project: Maven 2 & 3
>          Issue Type: Bug
>            Reporter: Dale Wyttenbach
>            Assignee: Benjamin Bentmann
>
> The log verbosity of password decryption in 3.0-alpha7 that makes the mvn -X option effectively unusable.  The password I've got in my settings.xml file looks like this: 
>             <password>{DESede}y+qq...==</password> 
> This is an Artifactory setup password and it does work, however mvn -X logs exceptions about it so frequently that it makes -X almost impossible to use.  Is there some way I can suppress this behavior through configuration?  The exception that it logs over and over again is: 
> [DEBUG] Failed to decrypt password for server central: org.sonatype.plexus.components.cipher.PlexusCipherException: java.lang.ArrayIndexOutOfBoundsException 
> org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: org.sonatype.plexus.components.cipher.PlexusCipherException: java.lang.ArrayIndexOutOfBoundsException 
> ... 
> Caused by: java.lang.ArrayIndexOutOfBoundsException 
>         at java.lang.System.arraycopy(Native Method) 
>         at org.sonatype.plexus.components.cipher.PBECipher.decrypt64(PBECipher.java:175) 
>         ... 47 more 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (MNG-4611) 3.0-alpha7 password decryption log verbosity

Posted by "Benjamin Bentmann (JIRA)" <ji...@codehaus.org>.

    [ http://jira.codehaus.org/browse/MNG-4611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=216994#action_216994 ] 

Benjamin Bentmann commented on MNG-4611:
----------------------------------------

This issue is about the "log verbosity". The log output is fine, as there is an issue with the password used.

> 3.0-alpha7 password decryption log verbosity
> --------------------------------------------
>
>                 Key: MNG-4611
>                 URL: http://jira.codehaus.org/browse/MNG-4611
>             Project: Maven 2 & 3
>          Issue Type: Bug
>            Reporter: Dale Wyttenbach
>            Assignee: Benjamin Bentmann
>
> The log verbosity of password decryption in 3.0-alpha7 that makes the mvn -X option effectively unusable.  The password I've got in my settings.xml file looks like this: 
>             <password>{DESede}y+qq...==</password> 
> This is an Artifactory setup password and it does work, however mvn -X logs exceptions about it so frequently that it makes -X almost impossible to use.  Is there some way I can suppress this behavior through configuration?  The exception that it logs over and over again is: 
> [DEBUG] Failed to decrypt password for server central: org.sonatype.plexus.components.cipher.PlexusCipherException: java.lang.ArrayIndexOutOfBoundsException 
> org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: org.sonatype.plexus.components.cipher.PlexusCipherException: java.lang.ArrayIndexOutOfBoundsException 
> ... 
> Caused by: java.lang.ArrayIndexOutOfBoundsException 
>         at java.lang.System.arraycopy(Native Method) 
>         at org.sonatype.plexus.components.cipher.PBECipher.decrypt64(PBECipher.java:175) 
>         ... 47 more 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Commented: (MNG-4611) 3.0-alpha7 password decryption log verbosity

Posted by "Brendan Lawlor (JIRA)" <ji...@codehaus.org>.

    [ http://jira.codehaus.org/browse/MNG-4611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=217010#action_217010 ] 

Brendan Lawlor commented on MNG-4611:
-------------------------------------

I've raised MNG-4626 as a more general but related point. I think the notion of encrypting 'properly' as suggested above is a problem in the first place. The encryption mechanism used by Dale and provided for by Yoav in Artifactory is clearly the sensible approach to password protection in maven, and maven/nexus should really be doing the same thing.

> 3.0-alpha7 password decryption log verbosity
> --------------------------------------------
>
>                 Key: MNG-4611
>                 URL: http://jira.codehaus.org/browse/MNG-4611
>             Project: Maven 2 & 3
>          Issue Type: Bug
>            Reporter: Dale Wyttenbach
>            Assignee: Benjamin Bentmann
>
> The log verbosity of password decryption in 3.0-alpha7 that makes the mvn -X option effectively unusable.  The password I've got in my settings.xml file looks like this: 
>             <password>{DESede}y+qq...==</password> 
> This is an Artifactory setup password and it does work, however mvn -X logs exceptions about it so frequently that it makes -X almost impossible to use.  Is there some way I can suppress this behavior through configuration?  The exception that it logs over and over again is: 
> [DEBUG] Failed to decrypt password for server central: org.sonatype.plexus.components.cipher.PlexusCipherException: java.lang.ArrayIndexOutOfBoundsException 
> org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: org.sonatype.plexus.components.cipher.PlexusCipherException: java.lang.ArrayIndexOutOfBoundsException 
> ... 
> Caused by: java.lang.ArrayIndexOutOfBoundsException 
>         at java.lang.System.arraycopy(Native Method) 
>         at org.sonatype.plexus.components.cipher.PBECipher.decrypt64(PBECipher.java:175) 
>         ... 47 more 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] Closed: (MNG-4611) 3.0-alpha7 password decryption log verbosity

Posted by "Benjamin Bentmann (JIRA)" <ji...@codehaus.org>.

     [ http://jira.codehaus.org/browse/MNG-4611?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Benjamin Bentmann closed MNG-4611.
----------------------------------

    Resolution: Not A Bug
      Assignee: Benjamin Bentmann

In conformance with [Maven Password Encryption|http://maven.apache.org/guides/mini/guide-encryption.html], the password you use should be decrypted by Maven but its format is invalid, so the log messages are justified.

AFAICT, the escape mechanism documented on that page is broken, so right now your only option is to either ignore the log messages or encrypt you password properly using Maven.

> 3.0-alpha7 password decryption log verbosity
> --------------------------------------------
>
>                 Key: MNG-4611
>                 URL: http://jira.codehaus.org/browse/MNG-4611
>             Project: Maven 2 & 3
>          Issue Type: Bug
>            Reporter: Dale Wyttenbach
>            Assignee: Benjamin Bentmann
>
> The log verbosity of password decryption in 3.0-alpha7 that makes the mvn -X option effectively unusable.  The password I've got in my settings.xml file looks like this: 
>             <password>{DESede}y+qq...==</password> 
> This is an Artifactory setup password and it does work, however mvn -X logs exceptions about it so frequently that it makes -X almost impossible to use.  Is there some way I can suppress this behavior through configuration?  The exception that it logs over and over again is: 
> [DEBUG] Failed to decrypt password for server central: org.sonatype.plexus.components.cipher.PlexusCipherException: java.lang.ArrayIndexOutOfBoundsException 
> org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: org.sonatype.plexus.components.cipher.PlexusCipherException: java.lang.ArrayIndexOutOfBoundsException 
> ... 
> Caused by: java.lang.ArrayIndexOutOfBoundsException 
>         at java.lang.System.arraycopy(Native Method) 
>         at org.sonatype.plexus.components.cipher.PBECipher.decrypt64(PBECipher.java:175) 
>         ... 47 more 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira