Using Maven security?

General Discussion
1

We use Maven’s security stuff to encrypt all of the various passwords we need for jboss, databases, etc. We’re using the settings-security.xml master password encryption, etc.

It would appear that Liquibase does not implement this security strategy – is this correct?

If so, are there any plans to support it? We most likely qon’t be able to use Liquibase otherwise, as encrypted passwords are a requirement…

2

I haven’t done a lot with Maven, does anyone know what we would need to do in order to support it?

Nathan

3

I am with you “raketemensch

4

Until this is fixed all you could maybe do is write your own mojo that invoked the liquibase Java API, then you could handle the password yourself or dig it out of a storage like cyber ark or something.

5

Well, Maven has built-in password encryption since 2.0.2. We use it for encrypting lots of passwords, but liquibase seems to just used the hashed password instead of decrypting it. It’s documented here:


http://maven.apache.org/guides/mini/guide-encryption.html


This is something of a dealbreaker for us – storing database passwords in plaintext files is horribad.

6

Curious about this one too. 

7

I think the maven plugin does have the capability of reading username/password from the settings.xml. I guess that doesn’t mean it will read encrypted passwords? I am willing to take a stab at this and submit a pull request but I need to know what the minimum version of Maven that the plugin supports. I believe there are some major differences between 2.0.x, 2.2.x and 3.0.x regarding the encryption and the implementation could differ significantly based on the version that nvoxland supports. Ideally it would use the 3.0.x line

8

I do always appreciate a pull request.  I’m not sure what the maven version usage statistics are to know how important it is to support 2.0 or 2.2 versions. You could always start with 3.0.x and we could add older support if there is enough of a request for it.


Nathan

9

I took some time to examine this and I tested it with Maven 2.2.1 and Maven 3.0.x and in both cases the passwords decryption already worked. The WagonManager class used handles the decryption as far as I can tell. Doesn’t look like any work is needed at this point in time. If others are still having issues I would love to know some more specifics.

10

Good to know, thanks for the update.


Nathan