THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Securing Passwords in Maven (MNG-553)
Goal
Provide a way for securing passwords in settings.xml, instead of just storing it in plain text.
Design
- Create a utility jar which a user can use to obfuscate their passwords and use this generated secured password in their settings.xml file.
- Implement reading of obfuscated passwords in Maven (plexus? or maven-core?)
- add a flag/parameter to enable the use of obfuscated passwords in Maven during the build. In this case, Maven would obfuscate each password configured in the settings.xml. If it's not able pass the authentication, then assume it's in plain text and try again. This condition was put because the user may opt not to obfuscate all the passwords set in their settings.xml. The drawback here is that there would be an additional overhead time because authentication may happen twice if the first attempt with the obfuscated password assumption did not pass.
- or, use a keyword prepended to the password to tell Maven that the password is obfuscated (like what Jetty does). For example, <password>OBF:securedPassword</password> with 'OBF:' as the keyword.
- Prompt for a password if none is found in the settings.xml. Use a parameter like the --non-interactive flag of the maven-release-plugin in order to disable this.
Considerations
Aside from obfuscating passwords, encryption and checksums can also be used for securing passwords like how it is implemented in Jetty. See reference below.