Page History

...

1. Password Obfuscation
   1. Provide a plugin which a user can use to obfuscate their passwords and use this generated secured password in their settings.xml file.
   2. Implement reading of obfuscated passwords in Maven (plexus? or maven-core?)
      • add a flag/parameter to enable the use of obfuscated passwords in Maven during the build. Add an <obfuscation> parameter in the settings.xml, as suggested by Benjamin (see comment below). In this case, Maven would check first the value of this parameter and perform un-obfuscation to the password if specified.
      • or, use a keyword prepended to the password to tell Maven that the password is obfuscated (like what Jetty does). For example, <password>OBF:securedPassword</password> with 'OBF:' as the keyword.
   3. Prompt for a password if none is found in the settings.xml. Use a parameter like the --non-interactive flag of the maven-release-plugin in order to disable this. (Already handled by Wagon as pointed out by Brett)
2. Password Encryption
   1. Interactive:
      1. Provide a plugin or use Use plexus-keystore (http://svn.codehaus.org/plexus/archive/plexus-sandbox/trunk/plexus-components/plexus-password-store) to create the key store where the server credentials would be stored.
      2. In Maven:
         • Add a parameter to tell Maven the location of the keystore. (Ex. -DkeystoreLocation=/path/to/keystore)
         • If the keystore location parameter is specified, Maven would disregard the <password> set in the settings.xml file (if there is any) and prompt for the master password of the keystore. The server credentials will be retrieved from the keystore if the entered master password is correct. Use the retrieved credentials to access the secured server.
         • Otherwise, use the <password> set in the settings.xml file if there is any.
   2. Non-interactive:
      1. Same implementation as 'Interactive', except that the master password for the keystore can be set via a command-line parameter.

...