Open rH4rtinger opened 1 year ago
Also facing the same problem, is this going to be picked up anytime soon?
@maxandersen could be useful to see if using MIMA fixes this problem.
Also facing the same problem. Could this be prioritized please? I think using custom Maven repositories with authentication is an important use case.
@baldimir to be clear. you can access repos with authentication with jbang.
the issue here is about having a way to use encrypted credentials rather than setting env var to the right thing.
If someone is around with some good ideas with how to easily test and verify this im all ears - PR's welcome too.
@baldimir what is the latest jbang version you tried with? the latest 0.114 has MIMA integrated that could potentially fixed it.
MIMA should handle this transparently. If not, that is MIMA bug. Please Use JBang 0.114+ version that has MIMA as @maxandersen said.
But have to say a bit more about "password encryption" in Maven with my Maven PMC hat on: current Maven password encryption is inherently insecure. It is much better to have your configuration files properly secured (FS perms, disk encryption, physical security, etc) to be on safe side.
For start, Maven team is somewhat aligned (share same arguments) as Tomcat team regarding "security through obscurity". Moreover, there was this fix (not yet used by Maven or MIMA) that shows technical issues with existing code as well. While the change improves things, the fundamental situation remains unchanged, as it is really "turtles, all way down...".
Describe the bug According to https://www.jbang.dev/documentation/guide/latest/dependencies.html#repositories
I have in
~/.m2/settings.xml
a mirror to a proxy repository which requires authentication. The username and password to the proxy are encrypted like Maven Password Encryption is telling.That means in my settings.xml is a username in plain text and a encrypted password in curly brackets.
In my settings-security.xml is my master password also encrypted.
When I am trying to access a dependency which is not in my local .m2 directory, I am getting 401 Unauthorized.
To Reproduce Steps to reproduce the behavior:
Expected behavior Encrypted passwords should be recognized and decrypted for the communication with a proxy repository which required authentication.
JBang version [jbang] [0:226] jbang version 0.106.3 Cache: C:\Users\.jbang\cache
Config: C:\Users\.jbang
Repository:C:\Users\.m2
0.106.3
Additional context If I am using a normal Java project and trying to resolve a maven dependency, my encrypted password is working and the resources are normally downloaded.
Also if I change the encrypted password with the plain text password in my settings.xml, maven download is working.