Hi,
Sure thing. :)
I have set of private Maven repos which are readable (writeable) only to
logged-in users.
We need to use login:password credentials because it is a community
version of Nexus and AFAIK it does not allow use of API keys. Accounts
are centralized so this is not the only place they are used.
Current state of Maven forces me to have credentials stored in the
settings.xml which is a security issue. It leads to either
- Having one "application user" to read repos and distribute such user
to all our devs. (And this does not solve the write access part at all.)
or to a security nightmare where
- Each developer puts his credentials to the settings.xml in plaintext.
(I know that Maven lets you encrypt the credentials but you still have
to store the master key somewhere... so that actually does not solve
anything and only adds another secret you have to care about.)
Hence, I tried to find, and failing that, tried to create a plugin which
asks user for a password to the repository on the command line before
the actual deploy happens. My idea is, so far, collect the password and
inject it back into maven session with (just an example)
Server servers =session.getSettings().getServers().get(0);
char[] passwordArray = console.readPassword(Enter password:
");s.setPassword(new String(passwordArray));
There are few things to think about - multiple servers, if I am even
able to modify session like that, how to do it for the read of the repo
which happens when downloading dependencies, what happens when invoked
from IDE, ...
Way better would probably be to patch maven-deploy-plugin to ask for
password when it gets HTTP 401 from the remote repository... but hey,
this is a PoC idea I started hacking on yesterday. :)
I'd like to get some minimal working package, then think where it is
right to put it.
Cheers,
Petr Fišer
BCV solutions s.r.o.
Mobile: +420 607 618 243
E-mail: [email protected]
Jabber: [email protected]
On 05/19/2020 02:55 PM, Karl Heinz Marbaise wrote:
Hi,
On 19.05.20 14:24, Petr Fišer wrote:
Hello,
I am trying to create custom maven plugin. Problem is I need to hook it
up into the "deploy" phase before the default maven-deploy-plugin gets
executed.
The plugin itself seems to be ok - I hooked it up to "package" phase to
verify its working. But when trying to get it into "deploy" phase, the
maven-deploy-plugin executes first (and of course complains that I do
not have the distributionManagement section in the pom.xml but I guess
that is not the root of my problem).
Can you explain what kind of plugin and why the plugin needs to be
before deploy plugin? (It looks like asking password?) What kind of
problem are you trying to solve?
Kind regards
Karl Heinz Marbaise
Could somebody point me in the right direction please?
Base class of the plugin:
@Mojo( name ="askpass", defaultPhase = LifecyclePhase.DEPLOY )
public class AskpassDeployPluginMojoextends AbstractMojo {
public void execute()throws MojoExecutionException,
MojoFailureException {
//do something here }
}
Reference from pom.xml of sample project where I am testing this:
<project xmlns="http://maven.apache.org/POM/4.0.0";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/maven-v4_0_0.xsd";>
<modelVersion>4.0.0</modelVersion>
<groupId>com.mycompany.app</groupId>
<artifactId>my-app</artifactId>
<packaging>jar</packaging>
<version>1.0-SNAPSHOT</version>
<name>my-app</name>
<url>http://maven.apache.org</url>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>cz.fiisch.maven.plugin.deploy.askpass</groupId>
<artifactId>askpass-deploy-plugin</artifactId>
<version>1.0-SNAPSHOT</version>
<executions>
<execution>
<phase>deploy</phase>
<goals>
<goal>askpass</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
Cheers,
