[shrinkwrap-issues] [JBoss JIRA] (SHRINKRES-146) Encrypted password support forces presence of settings-security.xml
Rafał Gała (JIRA)
issues at jboss.org
Tue Sep 2 01:56:00 EDT 2014
[ https://issues.jboss.org/browse/SHRINKRES-146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12997614#comment-12997614 ]
Rafał Gała commented on SHRINKRES-146:
--------------------------------------
After a few hours of investigation I finally found something :) The problem is actually with decrypting the password, not the curly brackets.
When I run Maven, I set MAVEN_OPTS variable to *-Dsettings.security=%M2_HOME%\conf\settings-security.xml*, so when ShrinkWrap resolves artifacts it should look for that file where the parameter points to, instead of looking in .m2 directory in user's home directory, but it does not work. It seems that ShrinkWrap ignores this parameter.
Passing *-Dorg.apache.maven.security-settings=%M2_HOME%\conf\settings-security.xml* parameter to Maven seems to solve the problem.
> Encrypted password support forces presence of settings-security.xml
> -------------------------------------------------------------------
>
> Key: SHRINKRES-146
> URL: https://issues.jboss.org/browse/SHRINKRES-146
> Project: ShrinkWrap Resolvers
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: 2.0.0-beta-4, 2.0.0
> Reporter: Falko M.
> Assignee: Andrew Rubinger
>
> This problem is caused by SHRINKRES-38 "Support encrypted passwords for password protected repositories".
> As soon {{MavenSettingsBuilder}} finds passwords in the settings file, it apprently assumes that they are encrypted with the master password which is defined in {{settings-security.xml}}. When the file cannot be found an exception is thrown:
> {code}
> org.jboss.shrinkwrap.resolver.api.InvalidConfigurationFileException: Unable to get security configuration from C:\Users\U115417\.m2\settings-security.xml. Please define path to the settings-security.xml file via -Dorg.apache.maven.security-settings, or put it the the default location defined by Maven.
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSecurityDispatcher.getMaster(MavenSecurityDispatcher.java:171)
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSecurityDispatcher.decrypt(MavenSecurityDispatcher.java:96)
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSettingsDecrypter.decrypt(MavenSettingsDecrypter.java:92)
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSettingsDecrypter.decrypt(MavenSettingsDecrypter.java:60)
> at org.jboss.shrinkwrap.resolver.impl.maven.bootstrap.MavenSettingsBuilder.decryptPasswords(MavenSettingsBuilder.java:223)
> at org.jboss.shrinkwrap.resolver.impl.maven.bootstrap.MavenSettingsBuilder.buildSettings(MavenSettingsBuilder.java:186)
> at org.jboss.shrinkwrap.resolver.impl.maven.bootstrap.MavenSettingsBuilder.buildDefaultSettings(MavenSettingsBuilder.java:113)
> at org.jboss.shrinkwrap.resolver.impl.maven.MavenWorkingSessionImpl.<init>(MavenWorkingSessionImpl.java:123)
> at org.jboss.shrinkwrap.resolver.impl.maven.MavenResolverSystemImpl.<init>(MavenResolverSystemImpl.java:43)
> ... 80 more
> {code}
> This is not correct as passwords can be defined without encryption and in this case no {{settings-security.xml}} file is needed.
> As we use server-side hashed passwords (without client-side encryption), this is a deal breaker for our project as you cannot work around this problem by just creating an empty file or a dummy password.
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)
More information about the shrinkwrap-issues
mailing list