[JBoss JIRA] (SHRINKRES-146) Encrypted password support forces presence of settings-security.xml
by Rafał Gała (JIRA)
[ https://issues.jboss.org/browse/SHRINKRES-146?page=com.atlassian.jira.plu... ]
Rafał Gała edited comment on SHRINKRES-146 at 9/1/14 10:57 AM:
---------------------------------------------------------------
Yes, Maven documentation says only about escaping curly brackets inside. However, Shrinkwrap cannot correctly parse XML files that have only opening and closing brackets, like the one below for example:
<password>\{/XFp4jLOtEMHmqV6niPdSZ1cf/ck/gxDk0PBgjgZkLY=}</password>
If you place the above line in <server> section in settings.xml, Shrinkwrap will fail.
Example:
<server>
<id>server001</id>
<username>my_login</username>
<password>\{/XFp4jLOtEMHmqV6niPdSZ1cf/ck/gxDk0PBgjgZkLY=}</password>
</server>
was (Author: wujaszek):
Yes, Maven documentation says only about escaping curly brackets inside. However, Shrinkwrap cannot correctly parse XML files that have only opening and closing brackets, like the one below for example:
<password>{/XFp4jLOtEMHmqV6niPdSZ1cf/ck/gxDk0PBgjgZkLY=}</password>
If you place the above line in <server> section in settings.xml, Shrinkwrap will fail.
Example:
<server>
<id>server001</id>
<username>my_login</username>
<password>{/XFp4jLOtEMHmqV6niPdSZ1cf/ck/gxDk0PBgjgZkLY=}</password>
</server>
> Encrypted password support forces presence of settings-security.xml
> -------------------------------------------------------------------
>
> Key: SHRINKRES-146
> URL: https://issues.jboss.org/browse/SHRINKRES-146
> Project: ShrinkWrap Resolvers
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: 2.0.0-beta-4, 2.0.0
> Reporter: Falko M.
> Assignee: Andrew Rubinger
>
> This problem is caused by SHRINKRES-38 "Support encrypted passwords for password protected repositories".
> As soon {{MavenSettingsBuilder}} finds passwords in the settings file, it apprently assumes that they are encrypted with the master password which is defined in {{settings-security.xml}}. When the file cannot be found an exception is thrown:
> {code}
> org.jboss.shrinkwrap.resolver.api.InvalidConfigurationFileException: Unable to get security configuration from C:\Users\U115417\.m2\settings-security.xml. Please define path to the settings-security.xml file via -Dorg.apache.maven.security-settings, or put it the the default location defined by Maven.
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSecurityDispatcher.getMaster(MavenSecurityDispatcher.java:171)
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSecurityDispatcher.decrypt(MavenSecurityDispatcher.java:96)
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSettingsDecrypter.decrypt(MavenSettingsDecrypter.java:92)
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSettingsDecrypter.decrypt(MavenSettingsDecrypter.java:60)
> at org.jboss.shrinkwrap.resolver.impl.maven.bootstrap.MavenSettingsBuilder.decryptPasswords(MavenSettingsBuilder.java:223)
> at org.jboss.shrinkwrap.resolver.impl.maven.bootstrap.MavenSettingsBuilder.buildSettings(MavenSettingsBuilder.java:186)
> at org.jboss.shrinkwrap.resolver.impl.maven.bootstrap.MavenSettingsBuilder.buildDefaultSettings(MavenSettingsBuilder.java:113)
> at org.jboss.shrinkwrap.resolver.impl.maven.MavenWorkingSessionImpl.<init>(MavenWorkingSessionImpl.java:123)
> at org.jboss.shrinkwrap.resolver.impl.maven.MavenResolverSystemImpl.<init>(MavenResolverSystemImpl.java:43)
> ... 80 more
> {code}
> This is not correct as passwords can be defined without encryption and in this case no {{settings-security.xml}} file is needed.
> As we use server-side hashed passwords (without client-side encryption), this is a deal breaker for our project as you cannot work around this problem by just creating an empty file or a dummy password.
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)
9 years, 8 months
[JBoss JIRA] (SHRINKRES-146) Encrypted password support forces presence of settings-security.xml
by Rafał Gała (JIRA)
[ https://issues.jboss.org/browse/SHRINKRES-146?page=com.atlassian.jira.plu... ]
Rafał Gała commented on SHRINKRES-146:
--------------------------------------
Yes, Maven documentation says only about escaping curly brackets inside. However, Shrinkwrap cannot correctly parse XML files that have only opening and closing brackets, like the one below for example:
<password>{/XFp4jLOtEMHmqV6niPdSZ1cf/ck/gxDk0PBgjgZkLY=}</password>
If you place the above line in <server> section in settings.xml, Shrinkwrap will fail.
Example:
<server>
<id>server001</id>
<username>my_login</username>
<password>{/XFp4jLOtEMHmqV6niPdSZ1cf/ck/gxDk0PBgjgZkLY=}</password>
</server>
> Encrypted password support forces presence of settings-security.xml
> -------------------------------------------------------------------
>
> Key: SHRINKRES-146
> URL: https://issues.jboss.org/browse/SHRINKRES-146
> Project: ShrinkWrap Resolvers
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: 2.0.0-beta-4, 2.0.0
> Reporter: Falko M.
> Assignee: Andrew Rubinger
>
> This problem is caused by SHRINKRES-38 "Support encrypted passwords for password protected repositories".
> As soon {{MavenSettingsBuilder}} finds passwords in the settings file, it apprently assumes that they are encrypted with the master password which is defined in {{settings-security.xml}}. When the file cannot be found an exception is thrown:
> {code}
> org.jboss.shrinkwrap.resolver.api.InvalidConfigurationFileException: Unable to get security configuration from C:\Users\U115417\.m2\settings-security.xml. Please define path to the settings-security.xml file via -Dorg.apache.maven.security-settings, or put it the the default location defined by Maven.
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSecurityDispatcher.getMaster(MavenSecurityDispatcher.java:171)
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSecurityDispatcher.decrypt(MavenSecurityDispatcher.java:96)
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSettingsDecrypter.decrypt(MavenSettingsDecrypter.java:92)
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSettingsDecrypter.decrypt(MavenSettingsDecrypter.java:60)
> at org.jboss.shrinkwrap.resolver.impl.maven.bootstrap.MavenSettingsBuilder.decryptPasswords(MavenSettingsBuilder.java:223)
> at org.jboss.shrinkwrap.resolver.impl.maven.bootstrap.MavenSettingsBuilder.buildSettings(MavenSettingsBuilder.java:186)
> at org.jboss.shrinkwrap.resolver.impl.maven.bootstrap.MavenSettingsBuilder.buildDefaultSettings(MavenSettingsBuilder.java:113)
> at org.jboss.shrinkwrap.resolver.impl.maven.MavenWorkingSessionImpl.<init>(MavenWorkingSessionImpl.java:123)
> at org.jboss.shrinkwrap.resolver.impl.maven.MavenResolverSystemImpl.<init>(MavenResolverSystemImpl.java:43)
> ... 80 more
> {code}
> This is not correct as passwords can be defined without encryption and in this case no {{settings-security.xml}} file is needed.
> As we use server-side hashed passwords (without client-side encryption), this is a deal breaker for our project as you cannot work around this problem by just creating an empty file or a dummy password.
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)
9 years, 8 months
[JBoss JIRA] (SHRINKRES-146) Encrypted password support forces presence of settings-security.xml
by Karel Piwko (JIRA)
[ https://issues.jboss.org/browse/SHRINKRES-146?page=com.atlassian.jira.plu... ]
Karel Piwko edited comment on SHRINKRES-146 at 9/1/14 10:46 AM:
----------------------------------------------------------------
[~wujaszek] can you please create a separate issue for that and discuss details there? I don't understand the details, as escaping curly braces is a Maven thing, not related for ShrinkWrap. According to the documentation, you should escape curly braces in between curly braces. There is no reason to escape demarking curly braces:
http://maven.apache.org/guides/mini/guide-encryption.html#Tips
Please note that password can contain any information outside of the curly brackets, so that the following will still work:
was (Author: kpiwko):
[~wujaszek] can you please create a separate issue for that and discuss details there? I don't understand the details, as escaping curly braces is a Maven thing, not related for ShrinkWrap.
Thanks.
> Encrypted password support forces presence of settings-security.xml
> -------------------------------------------------------------------
>
> Key: SHRINKRES-146
> URL: https://issues.jboss.org/browse/SHRINKRES-146
> Project: ShrinkWrap Resolvers
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: 2.0.0-beta-4, 2.0.0
> Reporter: Falko M.
> Assignee: Andrew Rubinger
>
> This problem is caused by SHRINKRES-38 "Support encrypted passwords for password protected repositories".
> As soon {{MavenSettingsBuilder}} finds passwords in the settings file, it apprently assumes that they are encrypted with the master password which is defined in {{settings-security.xml}}. When the file cannot be found an exception is thrown:
> {code}
> org.jboss.shrinkwrap.resolver.api.InvalidConfigurationFileException: Unable to get security configuration from C:\Users\U115417\.m2\settings-security.xml. Please define path to the settings-security.xml file via -Dorg.apache.maven.security-settings, or put it the the default location defined by Maven.
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSecurityDispatcher.getMaster(MavenSecurityDispatcher.java:171)
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSecurityDispatcher.decrypt(MavenSecurityDispatcher.java:96)
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSettingsDecrypter.decrypt(MavenSettingsDecrypter.java:92)
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSettingsDecrypter.decrypt(MavenSettingsDecrypter.java:60)
> at org.jboss.shrinkwrap.resolver.impl.maven.bootstrap.MavenSettingsBuilder.decryptPasswords(MavenSettingsBuilder.java:223)
> at org.jboss.shrinkwrap.resolver.impl.maven.bootstrap.MavenSettingsBuilder.buildSettings(MavenSettingsBuilder.java:186)
> at org.jboss.shrinkwrap.resolver.impl.maven.bootstrap.MavenSettingsBuilder.buildDefaultSettings(MavenSettingsBuilder.java:113)
> at org.jboss.shrinkwrap.resolver.impl.maven.MavenWorkingSessionImpl.<init>(MavenWorkingSessionImpl.java:123)
> at org.jboss.shrinkwrap.resolver.impl.maven.MavenResolverSystemImpl.<init>(MavenResolverSystemImpl.java:43)
> ... 80 more
> {code}
> This is not correct as passwords can be defined without encryption and in this case no {{settings-security.xml}} file is needed.
> As we use server-side hashed passwords (without client-side encryption), this is a deal breaker for our project as you cannot work around this problem by just creating an empty file or a dummy password.
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)
9 years, 8 months
[JBoss JIRA] (SHRINKRES-146) Encrypted password support forces presence of settings-security.xml
by Karel Piwko (JIRA)
[ https://issues.jboss.org/browse/SHRINKRES-146?page=com.atlassian.jira.plu... ]
Karel Piwko commented on SHRINKRES-146:
---------------------------------------
[~wujaszek] can you please create a separate issue for that and discuss details there? I don't understand the details, as escaping curly braces is a Maven thing, not related for ShrinkWrap.
Thanks.
> Encrypted password support forces presence of settings-security.xml
> -------------------------------------------------------------------
>
> Key: SHRINKRES-146
> URL: https://issues.jboss.org/browse/SHRINKRES-146
> Project: ShrinkWrap Resolvers
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: 2.0.0-beta-4, 2.0.0
> Reporter: Falko M.
> Assignee: Andrew Rubinger
>
> This problem is caused by SHRINKRES-38 "Support encrypted passwords for password protected repositories".
> As soon {{MavenSettingsBuilder}} finds passwords in the settings file, it apprently assumes that they are encrypted with the master password which is defined in {{settings-security.xml}}. When the file cannot be found an exception is thrown:
> {code}
> org.jboss.shrinkwrap.resolver.api.InvalidConfigurationFileException: Unable to get security configuration from C:\Users\U115417\.m2\settings-security.xml. Please define path to the settings-security.xml file via -Dorg.apache.maven.security-settings, or put it the the default location defined by Maven.
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSecurityDispatcher.getMaster(MavenSecurityDispatcher.java:171)
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSecurityDispatcher.decrypt(MavenSecurityDispatcher.java:96)
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSettingsDecrypter.decrypt(MavenSettingsDecrypter.java:92)
> at org.jboss.shrinkwrap.resolver.impl.maven.internal.decrypt.MavenSettingsDecrypter.decrypt(MavenSettingsDecrypter.java:60)
> at org.jboss.shrinkwrap.resolver.impl.maven.bootstrap.MavenSettingsBuilder.decryptPasswords(MavenSettingsBuilder.java:223)
> at org.jboss.shrinkwrap.resolver.impl.maven.bootstrap.MavenSettingsBuilder.buildSettings(MavenSettingsBuilder.java:186)
> at org.jboss.shrinkwrap.resolver.impl.maven.bootstrap.MavenSettingsBuilder.buildDefaultSettings(MavenSettingsBuilder.java:113)
> at org.jboss.shrinkwrap.resolver.impl.maven.MavenWorkingSessionImpl.<init>(MavenWorkingSessionImpl.java:123)
> at org.jboss.shrinkwrap.resolver.impl.maven.MavenResolverSystemImpl.<init>(MavenResolverSystemImpl.java:43)
> ... 80 more
> {code}
> This is not correct as passwords can be defined without encryption and in this case no {{settings-security.xml}} file is needed.
> As we use server-side hashed passwords (without client-side encryption), this is a deal breaker for our project as you cannot work around this problem by just creating an empty file or a dummy password.
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)
9 years, 8 months
[JBoss JIRA] (SHRINKRES-196) FormatStage should work in a JDK8 friendly way
by Karel Piwko (JIRA)
[ https://issues.jboss.org/browse/SHRINKRES-196?page=com.atlassian.jira.plu... ]
Karel Piwko updated SHRINKRES-196:
----------------------------------
Assignee: John Ament
> FormatStage should work in a JDK8 friendly way
> ----------------------------------------------
>
> Key: SHRINKRES-196
> URL: https://issues.jboss.org/browse/SHRINKRES-196
> Project: ShrinkWrap Resolvers
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Components: api, impl-maven
> Affects Versions: 2.2.0-alpha-1, 2.2.0-alpha-2
> Reporter: John Ament
> Assignee: John Ament
> Labels: api-change
> Fix For: 2.2.0-alpha-3
>
>
> Currently, FormatStage only returns arrays. In JDK8 if I want to stream the results to merge JARs, I have to do this:
> JavaArchive jar = ShrinkWrap.create(JavaArchive.class, "se-examples.jar").addPackage(UndertowComponent.class.getPackage())
> .addPackage(ExampleConfigSource.class.getPackage()).addPackage(GreeterServlet.class.getPackage())
> .addAsManifestResource(new StringAsset(beansXml),"beans.xml");
> Arrays.stream(Maven.resolver().loadPomFromFile("pom.xml")
> .resolve("org.apache.deltaspike.core:deltaspike-core-api","org.apache.deltaspike.core:deltaspike-core-impl")
> .withTransitivity().as(JavaArchive.class)).forEach(jar::merge);
> The Arrays.stream here is ugly as sin, requires me to wrap the result. It would be better if there was an asList(Class<?>) method that did the appropriate type conversion and returned as a list of whatevers.
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)
9 years, 8 months
[JBoss JIRA] (SHRINKRES-196) FormatStage should work in a JDK8 friendly way
by Karel Piwko (JIRA)
[ https://issues.jboss.org/browse/SHRINKRES-196?page=com.atlassian.jira.plu... ]
Karel Piwko updated SHRINKRES-196:
----------------------------------
Status: Resolved (was: Pull Request Sent)
Labels: api-change (was: )
Fix Version/s: 2.2.0-alpha-3
Resolution: Done
Thanks John, I like the proposal. Landed in https://github.com/shrinkwrap/resolver/commit/fb9d64427db2f1cd3221ea1f6ad... . I've also added documentation into README to make usage of this feature more visible.
> FormatStage should work in a JDK8 friendly way
> ----------------------------------------------
>
> Key: SHRINKRES-196
> URL: https://issues.jboss.org/browse/SHRINKRES-196
> Project: ShrinkWrap Resolvers
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Components: api, impl-maven
> Affects Versions: 2.2.0-alpha-1, 2.2.0-alpha-2
> Reporter: John Ament
> Labels: api-change
> Fix For: 2.2.0-alpha-3
>
>
> Currently, FormatStage only returns arrays. In JDK8 if I want to stream the results to merge JARs, I have to do this:
> JavaArchive jar = ShrinkWrap.create(JavaArchive.class, "se-examples.jar").addPackage(UndertowComponent.class.getPackage())
> .addPackage(ExampleConfigSource.class.getPackage()).addPackage(GreeterServlet.class.getPackage())
> .addAsManifestResource(new StringAsset(beansXml),"beans.xml");
> Arrays.stream(Maven.resolver().loadPomFromFile("pom.xml")
> .resolve("org.apache.deltaspike.core:deltaspike-core-api","org.apache.deltaspike.core:deltaspike-core-impl")
> .withTransitivity().as(JavaArchive.class)).forEach(jar::merge);
> The Arrays.stream here is ugly as sin, requires me to wrap the result. It would be better if there was an asList(Class<?>) method that did the appropriate type conversion and returned as a list of whatevers.
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)
9 years, 8 months
[JBoss JIRA] (SHRINKRES-186) MavenResolverSystemBase deprecates offline() but JavaDoc refer to wrong new usage
by Karel Piwko (JIRA)
[ https://issues.jboss.org/browse/SHRINKRES-186?page=com.atlassian.jira.plu... ]
Karel Piwko updated SHRINKRES-186:
----------------------------------
Status: Resolved (was: Pull Request Sent)
Resolution: Done
> MavenResolverSystemBase deprecates offline() but JavaDoc refer to wrong new usage
> ----------------------------------------------------------------------------------
>
> Key: SHRINKRES-186
> URL: https://issues.jboss.org/browse/SHRINKRES-186
> Project: ShrinkWrap Resolvers
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: api-maven
> Affects Versions: 2.1.1
> Reporter: Aslak Knutsen
> Assignee: Michal Matloka
> Fix For: 2.2.0-alpha-3
>
>
> MavenResolverSystemBase deprecates the methods offline() and offline(boolean), but the JavaDoc suggests the new way to set this flag is via ConfigurableMavenResolverSystem#workOffline(). The link is correct, but the suggest path seems off; Maven.resolver().workOffline()
> Maven.resolver() will return a MavenResolverSystem, while Maven.configureResolver() returns the ConfigurableMavenResolverSystem which has the new methods..
> Either the JavaDoc needs update, or the Maven.resolver() methods needs to return the new interface?
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)
9 years, 8 months