Blog Xebia France

Maven Definitive Guide FR estimate your passwords

To have spoken about it at the end of September, you know perhaps that I participate in . As you can determine it, translation is moved forward well now, we will throw besides probably very soon requests of rereading of the second and last part (you will be informed about it on this blog).

I use this occasion to introduce you an extract by taking as the model of a functionality which I did not know before getting down to it: how to estimate your passwords in your Settings Maven.

If you use Maven to display your artefacts on distant stores or quite other distant service requiring the use of passwords, the best solution is to stock these passwords in your Settings Maven. Without a mechanism to estimate these passwords, the file ~/.m2/settings.xml becomes fast a fault of security, because it contains the passwords of access to your different servers clearly. To avoid this problem, Maven 2.1 introduced a functionality which allows to estimate your passwords. In order to do that, you must begin with creating a chief password and stocking this one in a file of security-settings.xml in the site ~/.m2/settings-security.xml. You can then use this last to estimate your other passwords, those that you had to stock clearly in your Settings Maven (~/.m2/settings.xml).

To illustrate this functionality, let us look at the process used by Maven to recover the not ciphered password of a server from the parametres of an user. The diagramme below present this process. An user can refer to a server by using an identifying in POM of a plan, Maven searches then the server corresponding in his Settings. Once found, Maven will use the password linked to this one. The password is clearly stocked in ~/.m2/settings.xml, it is therefore easily accessible to every person who has rights of reading on this file.

Now, let us look how Maven uses ciphered passwords. The diagramme below present this process.

For configurer the functionality of ciphering of passwords, create the chief password by carrying out one of the following orders:

or

Maven shows then a copy of the ciphered version of the password on the stantard exit. Copy this one and glue him together in the file ~/.m2/settings-security.xml as following example shows it.

Having created the main password, you can begin estimating your passwords to use them in your Settings. To estimate a password with the aid of the chief password, use one of the following order mvn -ep or mvn --encrypt-password. Let us imagine that you stipulate of an administrator of store and that you need an user " deployment " and a password " qualityFIRST " to link you to it. To estimate this password, use the line of following order:

Copy then the ciphered password shown on the standard exit and glue it together in your Settings Maven.

When you carry out a build Maven who needs to interact with the administrator of repository, Maven will recover the main password from the file ~/.m2/settings-security.xml and use this one to decipher the password stocked in your file ~/.m2/settings.xml. Maven will use this password deciphered to be connected to the server.

What are the benefits of such mechanism? He allows you to avoid stocking your passwords clearly in the file ~/.m2/settings.xml. Note that this functionality does not envisage the ciphering of the password during the dispatch of this one on the distant server. It is always possible, for an unkindly person, to recover your passwords by analysing the network fluxes.

For some more security, you can ask your developers to stock the chief password estimated on a peripheral of removable stocking as a hard disk USB. By using this method, a developer must connect his detachable disk on his working station when he wants to perform a deployment or an any correlation with a distant server. For it, your file ~/.m2/settings-security.xml must contain a reference towards the real site of your file settings-security.xml. This shape passes by the use of the beacon relocation.

So, the developer can stock his file settings-security.xml in his individual site /Volumes/usb-key/settings-security.xml and arrange so that this file is available only if he is sitting down in front of his working station.