Encrypted SCM Passwords in Maven - No Fluff Just Stuff
NFJS2026

Encrypted SCM Passwords in Maven

Posted by: Matthew McCullough on August 28, 2009

A little late night hacking and I was able to get encrypted passwords to work in the Maven SCM plugin with Maven 2.2 based on the prodding of Kurt Tometich, an NFJS attendee, and his JIRA bug# SCM-495. Previously, this encryption feature only worked for Wagon providers (the connectors for uploading artifacts), not for SCM providers, contrary to some blog comments.

It was quite the effort. After a few minutes, I found the code in DefaultMaven.java that performed the decryption. Now, I thought, “just implement a similar call in AbstractScmMojo.java right?” I harbor a bit of angst for the fact that the JIRA isn’t Fisheye-connected to the source code repository, so finding the files changed for a given defect is much harder than it should be.

The Maven Mojo Developer Cookbook did offer a bit of insight (though syntactically off a bit on the container.getLookupRealm()) on how to get a handle to the container and look up the security provider, DefaultSecDispatcher.java.

SecDispatcher sd = null;

try {
  sd = (SecDispatcher)container.lookup( SecDispatcher.ROLE, "maven" );
}

There was even the fabled “java.lang.ClassCastException: org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher cannot be cast to org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher” at one point. Oh nuts. Not the classloader scoping issue, please…

The trick on the classloader is that the DefaultSecDispatcher class is available via a dependency to plexus-sec-dispatcher, but also included (repackaged) in the Maven core distribution maven-2.2.0-uber.jar. So the SCM provider project’s dependency on plexus-sec-dispatcher has to be scoped as <provided> for compilation of the maven-scm-plugin.

Lots of learning about the Maven code base occurred. The only interesting finding was how, instead of putting the decryption on the accessor (getter) of password from the settings data structure, it is put in each place it is attempted to be used (e.g. the Wagon “dispatcher”, and now the SCM “dispatcher”). I’ll bring up a refactoring of that with the Maven IRC folks…

Matthew McCullough's complete blog can be found at: http://ambientideas.com/blog/
Matthew McCullough

About Matthew McCullough

Matthew McCullough is an energetic 15 year veteran of enterprise software development, open source education, and co-founder of Ambient Ideas, LLC, a Denver consultancy. Matthew currently is VP of Training at GitHub.com, author of the Git Master Class series for O'Reilly, speaker at over 30 national and international conferences, author of three of the top 10 DZone RefCards, and President of the Denver Open Source Users Group. His current topics of research center around project automation: build tools (Gradle), distributed version control (Git, GitHub), Continuous Integration (Jenkins, Travis) and Quality Metrics (Sonar). Matthew resides in Denver, Colorado with his beautiful wife and two young daughters, who are active in nearly every outdoor activity Colorado has to offer.

Why Attend the NFJS Tour?

  • » Cutting-Edge Technologies
  • » Agile Practices
  • » Peer Exchange

Current Topics:

  • Languages on the JVM: Scala, Groovy, Clojure
  • Enterprise Java
  • Core Java, Java 8
  • Agility
  • Testing: Geb, Spock, Easyb
  • REST
  • NoSQL: MongoDB, Cassandra
  • Hadoop
  • Spring 4
  • Cloud
  • Automation Tools: Gradle, Git, Jenkins, Sonar
  • HTML5, CSS3, AngularJS, jQuery, Usability
  • Mobile Apps - iPhone and Android
  • More...
Learn More »