Avoid keeping credentials in application POM files

During a Maven build, you need to connect to external repositories outside your firewall. In a tightened secured environment, any outbound connection has to go through an internal proxy server. The following configuration in MAVEN_HOME/conf/settings.xml shows how to connect to an external repository via a secured proxy server:

<proxy>
  <id>internal_proxy</id>
  <active>true</active>
  <protocol>http</protocol>
  <username>proxyuser</username>
  <password>proxypass</password>
  <host>proxy.host.net</host>
  <port>80</port>
  <nonProxyHosts>local.net|some.host.com</nonProxyHosts>
</proxy>

Also, the Maven repositories can be protected for legitimate access. If a given repository is protected with HTTP basic authentication, the corresponding credentials should be defined as shown in the following code, under the servers element of MAVEN_HOME/conf/settings.xml:

<server>
  <id>central</id>
  <username>my_username</username>
  <password>my_password</password>
</server>

Keeping confidential data in configuration files in cleartext is a security threat that must be avoided. Maven provides a way of encrypting configuration data in settings.xml.

First, we need to create a master encryption key:

$ mvn -emp mymasterpassword
{lJ1MrCQRnngHIpSadxoyEKyt2zIGbm3Yl0ClKdTtRR6TleNaEfGOEoJaxNcdMr+G}

With the output from the previous command, we need to create a file called settings-security.xml under USER_HOME/.m2/ and add the encrypted master password there, as shown in the following code:

<settingsSecurity>
  <master>
{lJ1MrCQRnngHIpSadxoyEKyt2zIGbm3Yl0ClKdTtRR6TleNaEfGOEoJaxNcdMr+G}
  </master>
</settingsSecurity>

Once the master password is configured properly, we can start encrypting rest of the confidential data in settings.xml. Let's see how to encrypt the server password. First, we need to generate the encrypted password for the cleartext using the following command. Note that earlier we used emp (encrypt master password) and now we are using ep (encrypt password):

$  mvn -ep my_password
{PbYw8YaLb3cHA34/5EdHzoUsmmw/u/nWOwb9e+x6Hbs=}

Copy the value of the encrypted password and replace the corresponding value in settings.xml:

<server>
  <id>central</id>
  <username>my_username</username>
  <password>
    {PbYw8YaLb3cHA34/5EdHzoUsmmw/u/nWOwb9e+x6Hbs=}
  </password>
</server>
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.66.185