(maven) branch maven-3.9.x updated: Bug: SecDispatcher is managed by legacy Plexus DI (#11711)

Thu, 12 Feb 2026 03:08:20 -0800 

This is an automated email from the ASF dual-hosted git repository.

cstamas pushed a commit to branch maven-3.9.x
in repository https://gitbox.apache.org/repos/asf/maven.git


The following commit(s) were added to refs/heads/maven-3.9.x by this push:
     new dea5f14a85 Bug: SecDispatcher is managed by legacy Plexus DI (#11711)
dea5f14a85 is described below

commit dea5f14a85e26291f654a4c4a29a58210293628b
Author: Tamas Cservenak <[email protected]>
AuthorDate: Thu Feb 12 12:08:06 2026 +0100

    Bug: SecDispatcher is managed by legacy Plexus DI (#11711)
    
    And as Plexus DI is capable only of field injection, and 2.0 of 
SecDispatcher contains `final` field as it was converted to JSR330, it causes 
WARNINGs on Java 26 due JEP 500.
    
    Fix: drop component from Plexus XML (this was our last managed Plexus 
component) and provide a drop in replacement, a provider w/ name "maven".
---
 .../secdispatcher/SecDispatcherProvider.java       | 61 ++++++++++++++++++++++
 .../main/resources/META-INF/plexus/components.xml  | 20 -------
 2 files changed, 61 insertions(+), 20 deletions(-)

diff --git 
a/maven-core/src/main/java/org/apache/maven/internal/secdispatcher/SecDispatcherProvider.java
 
b/maven-core/src/main/java/org/apache/maven/internal/secdispatcher/SecDispatcherProvider.java
new file mode 100644
index 0000000000..3b681caeee
--- /dev/null
+++ 
b/maven-core/src/main/java/org/apache/maven/internal/secdispatcher/SecDispatcherProvider.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.maven.internal.secdispatcher;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import javax.inject.Provider;
+import javax.inject.Singleton;
+
+import java.util.Map;
+
+import org.sonatype.plexus.components.cipher.PlexusCipher;
+import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
+import org.sonatype.plexus.components.sec.dispatcher.PasswordDecryptor;
+import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
+
+/**
+ * Provides a security dispatcher named "maven". Maven uses this security 
dispatcher instead of the default.
+ * The default security dispatcher is unaware of Maven specific configuration 
file locations and should not be used
+ * (injected or referenced in any way) at all in any Maven related codebase.
+ * <p>
+ * Note: This whole stuff is really deprecated and replaced with proper 
security in Maven 4, while this one is
+ * just "security through obscurity".
+ *
+ * @since 3.9.13
+ */
+@Singleton
+@Named("maven")
+public class SecDispatcherProvider implements Provider<SecDispatcher> {
+    private final SecDispatcher instance;
+
+    @Inject
+    public SecDispatcherProvider(
+            PlexusCipher plexusCipher,
+            Map<String, PasswordDecryptor> decryptors,
+            
@Named("${maven.settings.security.configurationFile:-~/.m2/settings-security.xml}")
+                    String configurationFile) {
+        instance = new DefaultSecDispatcher(plexusCipher, decryptors, 
configurationFile);
+    }
+
+    @Override
+    public SecDispatcher get() {
+        return instance;
+    }
+}
diff --git a/maven-core/src/main/resources/META-INF/plexus/components.xml 
b/maven-core/src/main/resources/META-INF/plexus/components.xml
index 01dc6a8a3c..6560e023d8 100644
--- a/maven-core/src/main/resources/META-INF/plexus/components.xml
+++ b/maven-core/src/main/resources/META-INF/plexus/components.xml
@@ -110,25 +110,5 @@ under the License.
         <!-- END SNIPPET: site -->
       </configuration>
     </component>
-
-    <component>
-      <role>org.sonatype.plexus.components.sec.dispatcher.SecDispatcher</role>
-      <role-hint>maven</role-hint>
-      
<implementation>org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher</implementation>
-      <description>Maven Security dispatcher</description>
-      <requirements>
-        <requirement>
-          <role>org.sonatype.plexus.components.cipher.PlexusCipher</role>
-          <field-name>_cipher</field-name>
-        </requirement>
-        <requirement>
-          
<role>org.sonatype.plexus.components.sec.dispatcher.PasswordDecryptor</role>
-          <field-name>_decryptors</field-name>
-        </requirement>
-      </requirements>
-      <configuration>
-        <_configuration-file>~/.m2/settings-security.xml</_configuration-file>
-      </configuration>
-    </component>
   </components>
 </component-set>

Reply via email to