You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Jimisola Laursen (Jira)" <ji...@apache.org> on 2022/01/23 22:43:00 UTC
[jira] [Commented] (MWRAPPER-46) Simplify use of Maven Wrapper in different environments (basic auth required)
[ https://issues.apache.org/jira/browse/MWRAPPER-46?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17480748#comment-17480748 ]
Jimisola Laursen commented on MWRAPPER-46:
------------------------------------------
Ok. Is this a WON'T FIX or is there something that can be done?
> Simplify use of Maven Wrapper in different environments (basic auth required)
> -----------------------------------------------------------------------------
>
> Key: MWRAPPER-46
> URL: https://issues.apache.org/jira/browse/MWRAPPER-46
> Project: Maven Wrapper
> Issue Type: Improvement
> Affects Versions: 3.1.0
> Reporter: Jimisola Laursen
> Priority: Normal
>
> I'll describe our use-case as I suspect that we might be alone with this one.
> This ticket relates to:
> # MVNW_REPOURL being insufficient
> # user not being able to set MVNW_USERNAME/PASSWORD in plain text due security
> *Prerequisites:*
> * _Self-hosted Maven 2 repo that requires basic auth_ (Nexus with proxy for Maven Central)
> * Environments:
> ** Local machine: need to use proxy for Internet, can't set MVNW_USERNAME/PASSWORD in plain text due security
> ** Pipeline/Deployment (k8s): need to use proxy for Internet, MVNW_USERNAME/PASSWORD are set
> * We want to be able to specify wrapper and/or Maven version (hence, use maven-wrapper.properties)
> *Use-case:* all downloads, but local and in cluster/cloud, should go via our self-hosted Maven 2 repo that requires basic auth
> *Setup cases:*
> # Setting MVNW_REPOURL in both environments causes two problems:
> ## local machine: we would have to set MVNW_USER/PASSWORD (can't due to security risk)
> ## k8s: MVNW_REPOURL environment variable, strangely, doesn't override value in maven-wrapper.properties, but vice versa. Is this really common practise? Compare with e.g. [Spring Boot's Externalized Configuration|https://docs.spring.io/spring-boot/docs/1.2.3.RELEASE/reference/html/boot-features-external-config.html]. So, we would have to either change the base url in the maven-wrapper.properties in k8s explicitly since we want to keep the version information for maven-wrapper and Maven.
> # Changing the urls to the self-hosted repo in maven-wrapper.properties:
> ## local machine: we would have to set MVNW_USER/PASSWORD (can't due to security risk)
> ## k8s: would work since MVNW_USERNAME/PASSWORD are set
> # Having maven-wrapper.jar checked in doesn't solve the issue since Maven itself has to be downloaded as well and basic auth not set.
> *Ideas:*
> # be able to use [Password Encryption|https://maven.apache.org/guides/mini/guide-encryption.html] and have password encrypted in settings.xml or in MVNW_PASSWORD: issue of course being that Maven Password Encryption is not available during bootstrapping.
> # change the behavior of MVNW_REPOURL so that it has the highest priority and supersedes defaults in mvnw[.cmd] script as well as in maven-wrapper.properties: at least then we can keep a correct maven-wrapper.properties (w/ self-hosted Maven repo) and set MVNW_REPOURL to Maven Central on local machine for bootstrapping.
> *Proposed semi-solution:*
> * Change priority of MVNW_REPOURL or, for backwards compatibility, add another environment variable which supersedes all other settings
--
This message was sent by Atlassian Jira
(v8.20.1#820001)