[jira] Commented: (MNG-553) Secure Storage of Server Passwords

Tue, 27 Jan 2009 01:55:51 -0800 

    [ 
http://jira.codehaus.org/browse/MNG-553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=162646#action_162646
 ] 

Benjamin Bentmann commented on MNG-553:
---------------------------------------

Some comments:

{{SecUtil.read()}} leaks file handles in case of exceptions, the call to 
{{in.close()}} should be moved to a {{finally}} block.

{{SecUtil.toStream()}} suffers from the same subtle bug I reported in 
MERCURY-63.

The impl of {{DefaultSecDispatcher.isEncryptedString()}} introduces a 
regression for any passwords of the form {{\*\{\*}\*}} , causing the build to 
fail with a FATAL ERROR. Why don't we extend the settings model with an 
additional element to clearly indicate
a) that the password is encrypted instead of checking for some arbitrary syntax
b) what password encryption method is used if in the future we come up with 
alternatives users can choose from


> Secure Storage of Server Passwords
> ----------------------------------
>
>                 Key: MNG-553
>                 URL: http://jira.codehaus.org/browse/MNG-553
>             Project: Maven 2
>          Issue Type: Improvement
>          Components: Settings
>    Affects Versions: 2.0-alpha-3
>         Environment: Although it may not be relevant since this is a general 
> improvement issue, Windows XP, JDK 1.4.1.
>            Reporter: J. Michael McGarr
>            Assignee: Brett Porter
>            Priority: Critical
>             Fix For: 2.1.0-M2
>
>
> This was a question pose to the Maven User's Group and it was suggested I add 
> it here.  
> It would be benefitial to provide a more secure means of storing password's 
> to the servers listed in the .m2/settings.xml.  They are currently being 
> stored as plain text and could definately be considered a security breach.  
> Numerous organizations would undoubtedly considered this an unacceptable 
> security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings 
> file (more secure, but not foolproof) or even requiring the password to be 
> manually provided per build (would prevent automation of builds).  I am sure 
> that there is a secure solution to this problem and it should be part of the 
> 2.0 release.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to