THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Securing Passwords in settings.xml (MNG-553)
Goal
Provide a way for securing passwords in settings.xml, instead of just storing it in plain text.
Design
- Provide a utility jar which a user can use to obfuscate their passwords and use this generated secured password in their settings.xml file.
- Implement reading of obfuscated passwords in Maven (plexus? or maven-core?)
- add a flag/parameter to enable the use of obfuscated passwords in Maven during the build. Add an <obfuscated> parameter in the settings.xml, as suggested by Benjamin (see comment below). In this case, Maven would "un-obfuscate" the password configured in the settings.xml. If it's not able pass the authentication, then assume that the password set in settings.xml is in plain text and try again. This condition was put because the user may opt not to obfuscate all the passwords set in their settings.xml. The drawback here is that there would be an additional overhead time because authentication may happen twice if the first attempt with the obfuscated password assumption did not pass.
- or, use a keyword prepended to the password to tell Maven that the password is obfuscated (like what Jetty does). For example, <password>OBF:securedPassword</password> with 'OBF:' as the keyword.
- Prompt for a password if none is found in the settings.xml. Use a parameter like the --non-interactive flag of the maven-release-plugin in order to disable this. (Already handled by Wagon as pointed out by Brett)
Consideration(s)
Aside from obfuscating passwords, encryption and checksums can also be used for securing passwords like how it is implemented in Jetty. See reference below.