[jira] Commented: (IVY-486) Credentials are shown in build log even if debug is not enabled

["Gilles Scokart (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/IVY-486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12492272 ] 

Gilles Scokart commented on IVY-486:
------------------------------------

If you only need credentials to get the configuration file (now called settings file in 2.0).  The workaround migth be to not use a remote configurations file.  You can maybe first download the file from your ant script, then use it locally.

But if your credentials are also suposed to be used to acces repositories...  then there is indeed a big security issue !   

> Credentials are shown in build log even if debug is not enabled
> ---------------------------------------------------------------
>
>                 Key: IVY-486
>                 URL: https://issues.apache.org/jira/browse/IVY-486
>             Project: Ivy
>          Issue Type: Bug
>          Components: Ant
>    Affects Versions: 1.4.1
>            Reporter: Pavel Sher
>
> I have the following construction in my Ant build.xml:
>     <ivy-configure file="${basedir}/ivyconf.xml">
>       <credentials host="host" realm="realm" username="user" passwd="pass" />
>     </ivy-configure>
> When Ant starts this build.xml I see in the output: 
> credentials added realm@host user/pass
> This output is produced by CredentialsStore class even if debug level is not enabled. As I can see the problem is that Messages.init is called after the adding of credentials and this message goes right to the system error and then it is printed by Ant itself. The problem is critical for me because I want to use this build.xml in the continuous integration server and I do not want my credentials to be shown in the build log. Is there a workaround for this?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.