You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ant.apache.org by Steve Loughran <st...@apache.org> on 2005/08/01 13:27:11 UTC
Re: concealing passwords
Roedy Green wrote:
> I notice that in all the scripts I have seen people just insert their
> passwords as plain text in the scripts, e.g. for jarsigning.
>
> I don't want to do that since I will be distributing the scripts along
> with source code.
>
> It seems there are several ways you could handle it:
> 1. put the password in the registry.
> 2. make the password a system property you insert from a set variable.
> 3. put it in a file
> 4. something cleverer that makes you enter it and it remembers for a few
> hours.
>
> I wondered what is considered standard practice.
>
-beware of passing things on the command line, as on unix its visible to
all users via the ps command
-you can use <input> to ask for a password; it will be echoed (java's fault)
I keep passwords in properties files in a subdirectory that is locked
down with very restricted access, not in SCM.
-steve
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org
Re: concealing passwords
Posted by Patrick Martin <an...@gmail.com>.
Hello,
You can also get the user input via an antform [1] UI which can star passwords:
<antform>
<textProperty label="enter a password" property="my.password"
password="true" />
</antform>
Not tested, but something like that should work.
[1] http://antforms.sourceforge.net/
On 8/1/05, Steve Loughran <st...@apache.org> wrote:
> Roedy Green wrote:
> > I notice that in all the scripts I have seen people just insert their
> > passwords as plain text in the scripts, e.g. for jarsigning.
> >
> > I don't want to do that since I will be distributing the scripts along
> > with source code.
> >
> > It seems there are several ways you could handle it:
> > 1. put the password in the registry.
> > 2. make the password a system property you insert from a set variable.
> > 3. put it in a file
> > 4. something cleverer that makes you enter it and it remembers for a few
> > hours.
> >
> > I wondered what is considered standard practice.
> >
>
> -beware of passing things on the command line, as on unix its visible to
> all users via the ps command
> -you can use <input> to ask for a password; it will be echoed (java's fault)
>
> I keep passwords in properties files in a subdirectory that is locked
> down with very restricted access, not in SCM.
>
> -steve
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
> For additional commands, e-mail: user-help@ant.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org
Re: concealing passwords
Posted by Jeffrey E Care <ca...@us.ibm.com>.
The problem with using <input> for passwords is then you need a person
actually sitting there watching for the prompt. IIRC <input> is smart
enough to see if the property is already bound, but that leads us back to
the original problem of how to bind that property in the first place.
--
Jeffrey E. Care (carej@us.ibm.com)
WebSphere v7 Release Engineer
WebSphere Build Tooling Lead (Project Mantis)
Steve Loughran <st...@apache.org> wrote on 08/01/2005 07:27:11 AM:
> Roedy Green wrote:
> > I notice that in all the scripts I have seen people just insert their
> > passwords as plain text in the scripts, e.g. for jarsigning.
> >
> > I don't want to do that since I will be distributing the scripts along
> > with source code.
> >
> > It seems there are several ways you could handle it:
> > 1. put the password in the registry.
> > 2. make the password a system property you insert from a set variable.
> > 3. put it in a file
> > 4. something cleverer that makes you enter it and it remembers for a
few
> > hours.
> >
> > I wondered what is considered standard practice.
> >
>
> -beware of passing things on the command line, as on unix its visible to
> all users via the ps command
> -you can use <input> to ask for a password; it will be echoed (java's
fault)
>
> I keep passwords in properties files in a subdirectory that is locked
> down with very restricted access, not in SCM.
>
> -steve
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
> For additional commands, e-mail: user-help@ant.apache.org
>