Securing Passwords in settings.xml (MNG-553)
Goal
Provide a way for securing passwords in settings.xml, instead of just storing it in plain text.
Design
- Password Obfuscation
- Provide a plugin which a user can use to obfuscate their passwords and use this generated secured password in their settings.xml file.
- Implement reading of obfuscated passwords in Maven (plexus? or maven-core?)
- add a flag/parameter to enable the use of obfuscated passwords in Maven during the build. Add an <obfuscation> parameter in the settings.xml, as suggested by Benjamin (see comment below). In this case, Maven would check first the value of this parameter and perform un-obfuscation to the password if specified.
- or, use a keyword prepended to the password to tell Maven that the password is obfuscated (like what Jetty does). For example, <password>OBF:securedPassword</password> with 'OBF:' as the keyword.
- Prompt for a password if none is found in the settings.xml. Use a parameter like the --non-interactive flag of the maven-release-plugin in order to disable this. (Already handled by Wagon as pointed out by Brett)
- Password Encryption
- ...
Consideration(s)
Aside from obfuscating passwords, encryption and checksums can also be used for securing passwords like how it is implemented in Jetty. See reference below.