On Wed, Sep 28, 2011 at 6:12 PM, Qian, Yi <[email protected]> wrote: > Yes, it is maven question, but it relates to Archiva and here is our use > case - We set up our Archiva repository and use it as the proxy, the > developer only get the depend jar from maven repository if our Archiva > repository does not have it. > > In order to access this Archiva repository through Eclipse maven plugin, > the developer has to add this settings.xml in their local .m2 folder to > include username/password pair. > > This leaves some weak points > 1. Even Archiva accepts encrypted username/password, it is very clear to > the attacker where to find the credentials, since we are using single sign > on, it might lead the attacker to gain full access to other resources. > 2. Every time, the developer changes the password in LDAP, they have to > update this settings.xml to gain access to Archiva through eclipse maven > plugin. > > We are looking for using LDAP authentication and successfully experimented > in test environment, but due to above concern, also there is no critical > data on our Archiva server, we end up not using LDAP authentication, but > if your solution can ease the first concern, we are glad to go ahead > implement LDAP authentication. > > Yi >
Unfortunately we could not find any better solution than storing encrypted password in local settings.xml file.
