Login/Register
Where do I put my credentials when using Ivy and a private company repository?
Asked Answered
Solved javaantivynexus
B

4

16

I'm using Ant + Ivy, and my company has recently set up a Nexus server for our own private libraries. Ivy can get dependencies from the Nexus server by using a ibilio resolver and m2compatible=true, but I have to put my credentials in a ivysettings.xml file.

How are different developers supposed to store their credentials?

Is the ivysettings.xml file not supposed to be commited in vcs?

I really don't want to store my password in plain text.

Blackington answered 21/9, 2011 at 16:55 Comment(0)
W
14

Use a settings file with properties controlling the Nexus credentials:

<ivysettings>
    <property name="repo.host" value="default.mycompany.com" override="false"/>
    <property name="repo.realm" value="Sonatype Nexus Repository Manager" override="false"/>
    <property name="repo.user" value="deployment"  override="false"/>
    <property name="repo.pass" value="deployment123"  override="false"/>          

    <credentials host="${repo.host}" realm="${repo.realm}" username="${repo.user}" passwd="${repo.pass}"/>

    ..
    ..
</ivysettings>

When you run the build you can then specify the true username and password:

ant -Drepo.user=mark -Drepo.pass=s3Cret

Update/Enhancement

Storing passwords as properties on the file system requires encryption.

Jasypt has a command-line program that can generate encrypted strings:

$ encrypt.sh verbose=0 password=123 input=s3Cret
hXiMYkpsPY7j3aIh/2/vfQ==

This can be saved in the build's property file:

username=bill
password=ENC(hXiMYkpsPY7j3aIh/2/vfQ==)

The following ANT target will decrypt any encrypted ANT properties:

<target name="decrypt">
    <taskdef name="groovy" classname="org.codehaus.groovy.ant.Groovy" classpathref="build.path"/>

    <groovy>
    import org.jasypt.properties.EncryptableProperties
    import org.jasypt.encryption.pbe.StandardPBEStringEncryptor

    StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor()
    encryptor.setPassword(properties["master.pass"])

    Properties props = new EncryptableProperties((Properties)properties, encryptor);

    props.propertyNames().each {
        properties[it] = props.getProperty(it)
    }
    </groovy>
</target>

Of course to make this work, the password used for encrypting the properties needs to be specified as part of the build.

ant -Dmaster.pass=123

This means the solution is only good for hiding data at rest.

Wiesbaden answered 21/9, 2011 at 19:16 Comment(2)
Just a note, one still can dig a sensitive information in ~/.bash_history fileShonda
@Shonda Yup, solution is far from perfect.Camelopardalis
C
12

For my purposes the command-line credentials weren't an option because I'm running through Jenkins and they'd be clearly pasted on the build output, so here was my solution which strikes a balance by being reasonably secure.

  • Create a properties file in your home directory that contains the sensitive information (we'll call it "maven.repo.properties")

    repo.username=admin
repo.password=password

  • Near the top of your build file, import the property file

    <property file="${user.home}/maven.repo.properties"/>

  • In your publish target under build.xml, set your ivy settings file location (which does get checked in to code control) but embed your credential properties

    <target name="publish">
    <ivy:settings file="ivysettings.xml">
        <credentials host="repohostname" realm="Artifactory Realm" username="${repo.username}" passwd="${repo.password}"/>
    </ivy:settings>
    <!-- ivy:makepom and ivy:publish targets go here -->
</target>

  • Create your ivysettings.xml just as you did before, but strip out the username and passwd attributes

You can then leverage your operating system's permissions to make sure that the maven.repo.properties file is properly hidden from everybody except you (or your automatic build implementation).

Cinerary answered 4/11, 2012 at 16:16 Comment(1)
This made me realize that the realm had to be exactly Artifactory Realm when specifying credentials for a Jfrog artifactoryWomanish
L
2

The ivysettings.xml sample in Mark O'Connor's answer should actually be as follows:

<ivysettings>
  <property name="repo.host" value="default.mycompany.com" override="false"/>
  <property name="repo.realm" value="Sonatype Nexus Repository Manager" override="false"/>
  <property name="repo.user" value="deployment"  override="false"/>
  <property name="repo.pass" value="deployment123"  override="false"/>          

  <credentials host="${repo.host}" realm="${repo.realm}" username="${repo.user}" passwd="${repo.pass}"/>

  ..
</ivysettings>

Means, the property names should not be surrounded by ${...} (it took me quite a while to find out why this failed - but now I know how to debug ivy access - use commons-httpclient-3.0, set everything to verbose etc.)

Leilaleilah answered 27/11, 2014 at 16:27 Comment(2)
How is this different from Mark's answer? Also, what do you mean "use commons-httpclient-3.0? Set what to verbose (Ant? Ivy?)?Xylol
edit by Manfred Moser, May 22, 2015, just copied my answer. however, this is quite some time ago, and i haven't used ant/ivy recently. commons-httpclient is end of life since several years, latest release of the original commons-httpclient in mvn central is 3.1 from aug 21, 2007. most likely ivy had a dependency on httpclient at the time. but feel free to do some research...Leilaleilah
R
0

Additional to Mark O'Connor's answer you can hide the password from your daily work and from the prying eyes of your workmates by putting these properties either into the antrc startup file or into the environment variables used by ant. Please note that they are not very secure in either place.

Regimen answered 21/9, 2011 at 19:43 Comment(1)
If I was truly paranoid about the password being saved in cleartext, I'd write an ANT task that reads an encrypted copy from a properties file. See jasypt.org/encrypting-configuration.htmlCamelopardalis

© 2022 - 2024 — McMap. All rights reserved.