[jira] (MNG-5512) Deploy uses passwords that failed decryption; retries even if login fails

Thu, 23 Jan 2014 11:19:42 -0800 

    [ 
https://jira.codehaus.org/browse/MNG-5512?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=339922#comment-339922
 ] 

SebbASF commented on MNG-5512:
------------------------------

Unpack the project zip in a suitable directory.

Ensure that settings.xml has the following section completed correctly:

    <!-- To publish a snapshot -->
    <server>
      <id>apache.snapshots.https</id>
      <username>name</username>
      <password>password</password>
    </server>

Use "mvn deploy" to deploy the snapshot.

It should deploy the snapshot OK to the org.apache.maven snapshot repo.

Now change your login password (but without changing settings.xml)
This is the normal use case - user updates login password, but forgets to 
update settings.xml.
[If you don't wish to change the login password, change the saved password in 
settings.xml instead so it is no longer valid]

Rerun "mvn deploy".

The deploy phase will try to login several times with the same password; these 
should all fail.

BEWARE: this may well cause the user account to be locked.

[ASF Maven committers should be able to reset their password using the 
self-service app. If not, they will have to contact the ASF Infra team]

The attempt to deploy a snapshot should not repeatedly use the same bad 
password, but should cause the process to be abandoned as soon as the password 
is first rejected.
                
> Deploy uses passwords that failed decryption; retries even if login fails
> -------------------------------------------------------------------------
>
>                 Key: MNG-5512
>                 URL: https://jira.codehaus.org/browse/MNG-5512
>             Project: Maven 2 & 3
>          Issue Type: Bug
>            Reporter: SebbASF
>         Attachments: mng5512.zip
>
>
> [See MDEPLOY-130 which was closed as being an issue in Maven core]
> If passwords have been encrypted, deploy fails to notice if the password 
> decryption failed.
> Furthermore, it carries on trying to login even after a login failure.
> This is true even if the decryption succeeded but the password was incorrect 
> or no encryption was used and the password is incorrect.
> This is bad as it can result in lockout due to the multiple failed logins - 
> deploy needs to login several times - and may cause unnecessary work for 
> system admins.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to