Versions Compared

Old Version 7

changes.mady.by.user Maria Ching

Saved on

compared with

New Version Current

changes.mady.by.user Maria Ching

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Provide a way for securing passwords in settings.xml, instead of just storing it in plain text.

Design

  1. Password Obfuscation
    1. Provide a plugin which a user can use to obfuscate their passwords and use this generated secured password in their settings.xml file.
    2. Implement reading of obfuscated passwords in Maven (plexus? or maven-core?)
      • add a flag/parameter to enable the use of obfuscated passwords in Maven during the build. Add an
    <obfuscated>
      • <obfuscation> parameter in the settings.xml, as suggested by Benjamin (see comment below). In this case, Maven would
    "un-obfuscate" the password configured in the settings.xml. If it's not able pass the authentication, then assume that the password set in settings.xml is in plain text and try again. This condition was put because the user may opt not to obfuscate all the passwords set in their settings.xml. The drawback here is that there would be an additional overhead time because authentication may happen twice if the first attempt with the obfuscated password assumption did not pass
      • check first the value of this parameter and perform un-obfuscation to the password if specified.
      • or, use a keyword prepended to the password to tell Maven that the password is obfuscated (like what Jetty does). For example, <password>OBF:securedPassword</password> with 'OBF:' as the keyword.
    2. Prompt for a password if none is found in the settings.xml. Use a parameter like the --non-interactive flag of the maven-release-plugin in order to disable this. (Already handled by Wagon as pointed out by Brett)

Consideration(s)

...

  1. Password Encryption
    This can be implemented in two ways:
    1. Using a keystore for the server passwords
      1. Interactive:
        • Use plexus-password-store (http://svn.codehaus.org/plexus/archive/plexus-sandbox/trunk/plexus-components/plexus-password-store) to create the key store where the server credentials would be stored. Maven can also use this component for accessing the keystore as specified in the next point.
        • In Maven:
          • Add a parameter to tell Maven the location of the keystore. (Ex. -DkeystoreLocation=/path/to/keystore)
          • If the keystore location parameter is specified, Maven would disregard the <password> set in the settings.xml file (if there is any) and prompt for the master password of the keystore. The server credentials will be retrieved from the keystore if the entered master password is correct. Use the retrieved credentials to access the secured server.
          • Otherwise, use the <password> (if there is any) set in the settings.xml file. (Take into account password obfuscation here if it will be implemented.)
      2. Non-interactive:
        • Same implementation as 'Interactive', except that the master password for the keystore can be set via a command-line parameter instead of Maven prompting for it. The drawback here is that the master password would be in plain text.
    2. Using password-based encryption on the password in <settings.xml> (see Oleg's comment below)

Limitation(s)

Password Encryption:

  1. <password> in settings.xml would be disregarded if the server credentials would be retrieved from the key store.

References

Securing Passwords in Jetty