You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Rick Herrick (JIRA)" <ji...@codehaus.org> on 2011/02/23 16:37:22 UTC
[jira] Created: (MDEPLOY-129) Need a way to specify repository
credentials securely for deploy operations
Need a way to specify repository credentials securely for deploy operations
---------------------------------------------------------------------------
Key: MDEPLOY-129
URL: http://jira.codehaus.org/browse/MDEPLOY-129
Project: Maven 2.x Deploy Plugin
Issue Type: New Feature
Components: deploy:deploy-file
Affects Versions: 2.5, 2.4
Environment: All
Reporter: Rick Herrick
Currently, credentials for performing a deployment must be specified in the settings.xml. However, if a Maven repository is set to use LDAP for its authentication mechanism, this means exposing domain security credentials in plaintext in a static file on the hard drive and is _extremely_ insecure (as specified in the documentation: "Unfortunately, Maven doesn't currently support hashed or encrypted passwords in the settings.xml"). This is simply not workable in a secure environment, e.g. government, defense, financial, etc.
Instead there should be an option to provide these credentials on the command line or using hash or encryption algorithms.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MDEPLOY-129) Need a way to specify repository
credentials securely for deploy operations
Posted by "Rick Herrick (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MDEPLOY-129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=257626#action_257626 ]
Rick Herrick commented on MDEPLOY-129:
--------------------------------------
If you close the shell out, the history is gone, at least in Windows, and history can be easily cleared in shell. Certainly better than putting it in plaintext in settings.xml, which is what is prescribed in the main Maven manual.
> Need a way to specify repository credentials securely for deploy operations
> ---------------------------------------------------------------------------
>
> Key: MDEPLOY-129
> URL: http://jira.codehaus.org/browse/MDEPLOY-129
> Project: Maven 2.x Deploy Plugin
> Issue Type: New Feature
> Components: deploy:deploy-file
> Affects Versions: 2.4, 2.5
> Environment: All
> Reporter: Rick Herrick
>
> Currently, credentials for performing a deployment must be specified in the settings.xml. However, if a Maven repository is set to use LDAP for its authentication mechanism, this means exposing domain security credentials in plaintext in a static file on the hard drive and is _extremely_ insecure (as specified in the documentation: "Unfortunately, Maven doesn't currently support hashed or encrypted passwords in the settings.xml"). This is simply not workable in a secure environment, e.g. government, defense, financial, etc.
> Instead there should be an option to provide these credentials on the command line or using hash or encryption algorithms.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MDEPLOY-129) Need a way to specify repository
credentials securely for deploy operations
Posted by "Benjamin Bentmann (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MDEPLOY-129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=257624#action_257624 ]
Benjamin Bentmann commented on MDEPLOY-129:
-------------------------------------------
Specifying credentials on the command line seems to contradict the "securely" constrainst, cf. MNG-4841, but anyways.
> Need a way to specify repository credentials securely for deploy operations
> ---------------------------------------------------------------------------
>
> Key: MDEPLOY-129
> URL: http://jira.codehaus.org/browse/MDEPLOY-129
> Project: Maven 2.x Deploy Plugin
> Issue Type: New Feature
> Components: deploy:deploy-file
> Affects Versions: 2.4, 2.5
> Environment: All
> Reporter: Rick Herrick
>
> Currently, credentials for performing a deployment must be specified in the settings.xml. However, if a Maven repository is set to use LDAP for its authentication mechanism, this means exposing domain security credentials in plaintext in a static file on the hard drive and is _extremely_ insecure (as specified in the documentation: "Unfortunately, Maven doesn't currently support hashed or encrypted passwords in the settings.xml"). This is simply not workable in a secure environment, e.g. government, defense, financial, etc.
> Instead there should be an option to provide these credentials on the command line or using hash or encryption algorithms.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (MDEPLOY-129) Need a way to specify repository
credentials securely for deploy operations
Posted by "Stephen Connolly (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MDEPLOY-129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stephen Connolly updated MDEPLOY-129:
-------------------------------------
Priority: Minor (was: Major)
Labels: contributers-welcome documentation (was: )
Issue Type: Improvement (was: New Feature)
> Need a way to specify repository credentials securely for deploy operations
> ---------------------------------------------------------------------------
>
> Key: MDEPLOY-129
> URL: https://jira.codehaus.org/browse/MDEPLOY-129
> Project: Maven 2.x Deploy Plugin
> Issue Type: Improvement
> Components: deploy:deploy-file
> Affects Versions: 2.4, 2.5
> Environment: All
> Reporter: Rick Herrick
> Priority: Minor
> Labels: contributers-welcome, documentation
>
> Currently, credentials for performing a deployment must be specified in the settings.xml. However, if a Maven repository is set to use LDAP for its authentication mechanism, this means exposing domain security credentials in plaintext in a static file on the hard drive and is _extremely_ insecure (as specified in the documentation: "Unfortunately, Maven doesn't currently support hashed or encrypted passwords in the settings.xml"). This is simply not workable in a secure environment, e.g. government, defense, financial, etc.
> Instead there should be an option to provide these credentials on the command line or using hash or encryption algorithms.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MDEPLOY-129) Need a way to specify repository
credentials securely for deploy operations
Posted by "Benjamin Bentmann (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MDEPLOY-129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=257460#action_257460 ]
Benjamin Bentmann commented on MDEPLOY-129:
-------------------------------------------
http://maven.apache.org/guides/mini/guide-encryption.html
> Need a way to specify repository credentials securely for deploy operations
> ---------------------------------------------------------------------------
>
> Key: MDEPLOY-129
> URL: http://jira.codehaus.org/browse/MDEPLOY-129
> Project: Maven 2.x Deploy Plugin
> Issue Type: New Feature
> Components: deploy:deploy-file
> Affects Versions: 2.4, 2.5
> Environment: All
> Reporter: Rick Herrick
>
> Currently, credentials for performing a deployment must be specified in the settings.xml. However, if a Maven repository is set to use LDAP for its authentication mechanism, this means exposing domain security credentials in plaintext in a static file on the hard drive and is _extremely_ insecure (as specified in the documentation: "Unfortunately, Maven doesn't currently support hashed or encrypted passwords in the settings.xml"). This is simply not workable in a secure environment, e.g. government, defense, financial, etc.
> Instead there should be an option to provide these credentials on the command line or using hash or encryption algorithms.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MDEPLOY-129) Need a way to specify repository
credentials securely for deploy operations
Posted by "Stephen Connolly (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MDEPLOY-129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=276659#comment-276659 ]
Stephen Connolly commented on MDEPLOY-129:
------------------------------------------
Which documentation (incorrecty) states that "Maven doesn't currently support hashed or encrypted passwords in the settings.xml". I'd like to get this closed as it seems purely a documentation issue
> Need a way to specify repository credentials securely for deploy operations
> ---------------------------------------------------------------------------
>
> Key: MDEPLOY-129
> URL: https://jira.codehaus.org/browse/MDEPLOY-129
> Project: Maven 2.x Deploy Plugin
> Issue Type: New Feature
> Components: deploy:deploy-file
> Affects Versions: 2.4, 2.5
> Environment: All
> Reporter: Rick Herrick
> Labels: contributers-welcome, documentation
>
> Currently, credentials for performing a deployment must be specified in the settings.xml. However, if a Maven repository is set to use LDAP for its authentication mechanism, this means exposing domain security credentials in plaintext in a static file on the hard drive and is _extremely_ insecure (as specified in the documentation: "Unfortunately, Maven doesn't currently support hashed or encrypted passwords in the settings.xml"). This is simply not workable in a secure environment, e.g. government, defense, financial, etc.
> Instead there should be an option to provide these credentials on the command line or using hash or encryption algorithms.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MDEPLOY-129) Need a way to specify repository
credentials securely for deploy operations
Posted by "Rick Herrick (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MDEPLOY-129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=257619#action_257619 ]
Rick Herrick commented on MDEPLOY-129:
--------------------------------------
OK, then it'd be nice to have a mention on the page where I found that text that links to this page, so [from here|http://maven.apache.org/plugins/maven-deploy-plugin/usage.html] to [here|http://maven.apache.org/guides/mini/guide-encryption.html]. The first page makes it pretty definite that there's no way to do this, which is of course belied by the capability described in the second.
And second, I still think this is a valid feature request, since I can't just specify my user credentials on the command line, which is quick and ephemeral and requires no procedure to make work. Something like:
{code}mvn deploy:deploy-file -Dcredentials=foo:bar blah blah blah{code}
This is especially useful in scenarios where a developer may be deploying from an environment where s/he has write permissions on a development tree, but only read permissions on the settings.xml. This usually won't include the personal settings.xml, but again that's a procedure: the ability to just specify credentials on the fly would be much more convenient than a multi-step process.
> Need a way to specify repository credentials securely for deploy operations
> ---------------------------------------------------------------------------
>
> Key: MDEPLOY-129
> URL: http://jira.codehaus.org/browse/MDEPLOY-129
> Project: Maven 2.x Deploy Plugin
> Issue Type: New Feature
> Components: deploy:deploy-file
> Affects Versions: 2.4, 2.5
> Environment: All
> Reporter: Rick Herrick
>
> Currently, credentials for performing a deployment must be specified in the settings.xml. However, if a Maven repository is set to use LDAP for its authentication mechanism, this means exposing domain security credentials in plaintext in a static file on the hard drive and is _extremely_ insecure (as specified in the documentation: "Unfortunately, Maven doesn't currently support hashed or encrypted passwords in the settings.xml"). This is simply not workable in a secure environment, e.g. government, defense, financial, etc.
> Instead there should be an option to provide these credentials on the command line or using hash or encryption algorithms.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira