[jira] Commented: (MNG-553) Secure Storage of Server Passwords

Mon, 18 Aug 2008 00:00:29 -0700 

    [ 
http://jira.codehaus.org/browse/MNG-553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=145297#action_145297
 ] 

Brett Porter commented on MNG-553:
----------------------------------

as long as one implementation uses a Java keystore, you can use the Keychain on 
OS X: 
http://developer.apple.com/documentation/Java/Conceptual/Java14Development/04-JavaUIToolkits/JavaUIToolkits.html#//apple_ref/doc/uid/TP40001901-210260

However, I don't believe this will give access to existing internet passwords, 
etc. It just allows you to store keys in there.

> Secure Storage of Server Passwords
> ----------------------------------
>
>                 Key: MNG-553
>                 URL: http://jira.codehaus.org/browse/MNG-553
>             Project: Maven 2
>          Issue Type: Improvement
>          Components: Settings
>    Affects Versions: 2.0-alpha-3
>         Environment: Although it may not be relevant since this is a general 
> improvement issue, Windows XP, JDK 1.4.1.
>            Reporter: J. Michael McGarr
>            Assignee: Brett Porter
>            Priority: Critical
>             Fix For: 3.0
>
>
> This was a question pose to the Maven User's Group and it was suggested I add 
> it here.  
> It would be benefitial to provide a more secure means of storing password's 
> to the servers listed in the .m2/settings.xml.  They are currently being 
> stored as plain text and could definately be considered a security breach.  
> Numerous organizations would undoubtedly considered this an unacceptable 
> security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings 
> file (more secure, but not foolproof) or even requiring the password to be 
> manually provided per build (would prevent automation of builds).  I am sure 
> that there is a secure solution to this problem and it should be part of the 
> 2.0 release.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to