You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Jimisola Laursen (Jira)" <ji...@apache.org> on 2022/01/23 22:43:00 UTC

[jira] [Commented] (MWRAPPER-46) Simplify use of Maven Wrapper in different environments (basic auth required)

    [ https://issues.apache.org/jira/browse/MWRAPPER-46?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17480748#comment-17480748 ] 

Jimisola Laursen commented on MWRAPPER-46:
------------------------------------------

Ok. Is this a WON'T FIX or is there something that can be done?

> Simplify use of Maven Wrapper in different environments (basic auth required)
> -----------------------------------------------------------------------------
>
>                 Key: MWRAPPER-46
>                 URL: https://issues.apache.org/jira/browse/MWRAPPER-46
>             Project: Maven Wrapper
>          Issue Type: Improvement
>    Affects Versions: 3.1.0
>            Reporter: Jimisola Laursen
>            Priority: Normal
>
> I'll describe our use-case as I suspect that we might be alone with this one.
> This ticket relates to:
>  # MVNW_REPOURL being insufficient
>  # user not being able to set MVNW_USERNAME/PASSWORD in plain text due security
> *Prerequisites:* 
>  * _Self-hosted Maven 2 repo that requires basic auth_ (Nexus with proxy for Maven Central)
>  * Environments:
>  ** Local machine: need to use proxy for Internet, can't set MVNW_USERNAME/PASSWORD in plain text due security
>  ** Pipeline/Deployment (k8s): need to use proxy for Internet, MVNW_USERNAME/PASSWORD are set
>  * We want to be able to specify wrapper and/or Maven version (hence, use maven-wrapper.properties)
> *Use-case:* all downloads, but local and in cluster/cloud, should go via our self-hosted Maven 2 repo that requires basic auth
> *Setup cases:*
>  # Setting MVNW_REPOURL in both environments causes two problems:
>  ## local machine: we would have to set MVNW_USER/PASSWORD (can't due to security risk)
>  ## k8s: MVNW_REPOURL environment variable, strangely, doesn't override value in maven-wrapper.properties, but vice versa. Is this really common practise? Compare with e.g. [Spring Boot's Externalized Configuration|https://docs.spring.io/spring-boot/docs/1.2.3.RELEASE/reference/html/boot-features-external-config.html]. So, we would have to either change the base url in the maven-wrapper.properties in k8s explicitly since we want to keep the version information for maven-wrapper and Maven.
>  # Changing the urls to the self-hosted repo in maven-wrapper.properties:
>  ## local machine: we would have to set MVNW_USER/PASSWORD (can't due to security risk)
>  ## k8s: would work since MVNW_USERNAME/PASSWORD are set
>  # Having maven-wrapper.jar checked in doesn't solve the issue since Maven itself has to be downloaded as well and basic auth not set.
> *Ideas:*
>  # be able to use [Password Encryption|https://maven.apache.org/guides/mini/guide-encryption.html] and have password encrypted in settings.xml or in MVNW_PASSWORD: issue of course being that Maven Password Encryption is not available during bootstrapping.
>  # change the behavior of MVNW_REPOURL so that it has the highest priority and supersedes defaults in mvnw[.cmd] script as well as in maven-wrapper.properties: at least then we can keep a correct maven-wrapper.properties (w/ self-hosted Maven repo) and set MVNW_REPOURL to Maven Central on local machine for bootstrapping.
> *Proposed semi-solution:*
>  * Change priority of MVNW_REPOURL or, for backwards compatibility, add another environment variable which supersedes all other settings



--
This message was sent by Atlassian Jira
(v8.20.1#820001)