[jira] (MNG-4099) Password encryption CLI switches should prompt for password if missing

Sun, 28 Oct 2012 15:36:38 -0700 

    [ 
https://jira.codehaus.org/browse/MNG-4099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=312502#comment-312502
 ] 

Knut Vidar Siem commented on MNG-4099:
--------------------------------------

As far as I can tell, the password collection is implemented in 
[org.apache.maven.cli.MavenCli#encryption(CliRequest)|http://maven.apache.org/ref/3.0.4/maven-embedder/xref/org/apache/maven/cli/MavenCli.html#483]
 using [commons-cli|http://commons.apache.org/cli/]. A straight-forward 
implementation prompting for the password while not echoing it would be to use 
[java.io.Console#readPassword()|http://docs.oracle.com/javase/6/docs/api/java/io/Console.html#readPassword()]
 from JDK6 if possible. Suggested pre-JDK6 solutions seem surprisingly complex, 
such as [concurrently sending backspace 
characters|http://web.archive.org/web/20110604072946/http://java.sun.com/developer/technicalArticles/Security/pwordmask/],
 or non-portable (JNI).

There is a comment in the code suggesting that this functionality should be 
moved to a separate tool. Why is that and what kind of tool would that be, a 
plugin or a completely separate utility? 
                
> Password encryption CLI switches should prompt for password if missing
> ----------------------------------------------------------------------
>
>                 Key: MNG-4099
>                 URL: https://jira.codehaus.org/browse/MNG-4099
>             Project: Maven 2 & 3
>          Issue Type: Improvement
>          Components: Command Line
>    Affects Versions: 2.1.0
>            Reporter: Mark Hobson
>            Priority: Trivial
>             Fix For: 3.x / Backlog
>
>
> The -emp and -ep CLI switches should prompt for a password if the user omits 
> it.  This would help to avoid having to escape shell characters in strong 
> passwords.
> Note that the docs mention that these switches prompt for a password when 
> they do not:
> http://maven.apache.org/guides/mini/guide-encryption.html

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to