[
https://issues.apache.org/jira/browse/MWRAPPER-46?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17464068#comment-17464068
]
Michael Osipov commented on MWRAPPER-46:
----------------------------------------
The Maven password encryption is moot and gives you a false sense of security.
You still must retain a plaintext password for the system. No gain here.
[~cstamas]
> Simplify use of Maven Wrapper in different environments (basic auth required)
> -----------------------------------------------------------------------------
>
> Key: MWRAPPER-46
> URL: https://issues.apache.org/jira/browse/MWRAPPER-46
> Project: Maven Wrapper
> Issue Type: Improvement
> Affects Versions: 3.1.0
> Reporter: Jimisola Laursen
> Priority: Normal
>
> I'll describe our use-case as I suspect that we might be alone with this one.
> This ticket relates to:
> # MVNW_REPOURL being insufficient
> # user not being able to set MVNW_USERNAME/PASSWORD in plain text due
> security
> *Prerequisites:*
> * _Self-hosted Maven 2 repo that requires basic auth_ (Nexus with proxy for
> Maven Central)
> * Environments:
> ** Local machine: need to use proxy for Internet, can't set
> MVNW_USERNAME/PASSWORD in plain text due security
> ** Pipeline/Deployment (k8s): need to use proxy for Internet,
> MVNW_USERNAME/PASSWORD are set
> * We want to be able to specify wrapper and/or Maven version (hence, use
> maven-wrapper.properties)
> *Use-case:* all downloads, but local and in cluster/cloud, should go via our
> self-hosted Maven 2 repo that requires basic auth
> *Setup cases:*
> # Setting MVNW_REPOURL in both environments causes two problems:
> ## local machine: we would have to set MVNW_USER/PASSWORD (can't due to
> security risk)
> ## k8s: MVNW_REPOURL environment variable, strangely, doesn't override value
> in maven-wrapper.properties, but vice versa. Is this really common practise?
> Compare with e.g. [Spring Boot's Externalized
> Configuration|https://docs.spring.io/spring-boot/docs/1.2.3.RELEASE/reference/html/boot-features-external-config.html].
> So, we would have to either change the base url in the
> maven-wrapper.properties in k8s explicitly since we want to keep the version
> information for maven-wrapper and Maven.
> # Changing the urls to the self-hosted repo in maven-wrapper.properties:
> ## local machine: we would have to set MVNW_USER/PASSWORD (can't due to
> security risk)
> ## k8s: would work since MVNW_USERNAME/PASSWORD are set
> # Having maven-wrapper.jar checked in doesn't solve the issue since Maven
> itself has to be downloaded as well and basic auth not set.
> *Ideas:*
> # be able to use [Password
> Encryption|https://maven.apache.org/guides/mini/guide-encryption.html] and
> have password encrypted in settings.xml or in MVNW_PASSWORD: issue of course
> being that Maven Password Encryption is not available during bootstrapping.
> # change the behavior of MVNW_REPOURL so that it has the highest priority
> and supersedes defaults in mvnw[.cmd] script as well as in
> maven-wrapper.properties: at least then we can keep a correct
> maven-wrapper.properties (w/ self-hosted Maven repo) and set MVNW_REPOURL to
> Maven Central on local machine for bootstrapping.
> *Proposed semi-solution:*
> * Change priority of MVNW_REPOURL or, for backwards compatibility, add
> another environment variable which supersedes all other settings
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
