Hide password in settings.xml in jenkins for profiles - maven

First we had a settings.xml like this:
<servers>
<server>
<id>test</id>
<username>user</username>
<password>secret1</password>
</server>
</servers>
<profiles>
<profile>
<id>flyway.help</id>
<properties>
<flyway.placeholders.db.user>user</flyway.placeholders.db.user>
<flyway.placeholders.db.password>secret2</flyway.placeholders.db.password>
</properties>
</profile>
</profiles>
The username and password are in plain text.
Than we used the credentials plugin inside our global settings.xml so we could hide the username and password of our server.
It's now like this:
<servers>
<server>
<id>test</id>
</server>
</servers>
It's pointing to the ID test. This works well.
But how can we hide the passwords we have inside our profile section. Between the flyway tags?

Related

How can I whitelist my private nexus on maven 3.8?

It seems like maven 3.8 has introduced some kinf of MITM attack protection, doing that it drops all the connections to the private repositories (such as nexus sonatype and so on). Here it is what happens when I try to download dependencies that are hosted into my private repository
And it stays there, waiting forever...
The private repositories are defined into the settings.xml file and everything worked perfectly (with mvn 3.6.3) until maven 3.8.
How can I put such private repositories in the "maven trusted" ones?
Here it is the settings.xml
<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
<profiles>
<profile>
<id>first-profile</id>
<repositories>
<repository>
<id>my-nexus</id>
<url>http://nexus.mycompany.com:8081/repository/dev/</url>
</repository>
</repositories>
</profile>
</profiles>
<servers>
<server>
<id>my-nexus</id>
<username>username</username>
<password>password</password>
</server>
</servers>
<activeProfiles>
<activeProfile>first-profile</activeProfile>
</activeProfiles>
</settings>
Overriding the shipped mirror tag from /opt/maven/conf/settings.xml by placing a new variant into the user's settings.xml, only adding local repo ids to be not considered by the mirrorOf rule, worked for me.
Maven 3.8.x
<settings>
<mirrors>
<!-- a copy of /opt/maven/conf/settings.xml, so can override with exception rules -->
<mirror>
<id>maven-default-http-blocker</id>
<mirrorOf>!my-repo1,!my-repo2,external:http:*</mirrorOf>
<name>Pseudo repository to mirror external repositories initially using HTTP.</name>
<url>http://0.0.0.0/</url>
<blocked>true</blocked>
</mirror>
</mirrors>
</settings>

How to avoid from using the defined mirror with a different profile in Maven?

My project at work is using an Artifactory as mirror of Maven. So there is the following setting in ~/.m2/settings.xml:
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
https://maven.apache.org/xsd/settings-1.0.0.xsd">
<servers>
<server>
<id>artifactory</id>
<username>rx</username>
<password>67CoHEdAxq6PALFzoB</password>
</server>
</servers>
<mirrors>
<mirror>
<id>artifactory</id>
<mirrorOf>*</mirrorOf>
<url>https://dev.mycompany.com/artifactory/maven-all</url>
</mirror>
</mirrors>
</settings>
As a result, all the repositories will download dependencies or plugins from the mirror: https://dev.mycompany.com/artifactory/maven-all. However, I need to develop my own projects on the same PC without using the mirror but only the maven central repository, https://repo.maven.apache.org/maven2. So I intend to use a profile, inside which the repository has a unique id, private, then make use of <mirrorOf>*,!private</mirrorOf> to be prevented from using the Artifactory mirror. The changed settings.xml looks like this:
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
https://maven.apache.org/xsd/settings-1.0.0.xsd">
<servers>
<server>
<id>artifactory</id>
<username>rx</username>
<password>67CoHEdAxq6PALFzoB</password>
</server>
</servers>
<mirrors>
<mirror>
<id>artifactory</id>
<mirrorOf>*,!private</mirrorOf>
<url>https://dev.mycompany.com/artifactory/maven-all</url>
</mirror>
</mirrors>
<profiles>
<profile>
<id>private</id>
<repositories>
<repository>
<id>private</id>
<id>https://repo.maven.apache.org/maven2/</id>
</repository>
</repositories>
</profile>
</profiles>
</settings>
Problem: when making use of the profile private to generate a project with the following command:
mvn -P private archetype:generate -DgroupId=rx.practice.servlet -DartifactId=servlet -DarchetypeArtifactId=maven-archetype-quickstart -DarchetypeVersion=1.4 -DinteractiveMode=fa[Clse
Maven still tries to download the plugin from the mirror, where does not contain those plugins. Anyone can explain why? and How to fix it?

How to use server with SAML authentication?

I have server that use saml access
I want to write java application that get dependencies from this server.
I created settings.xml
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
<servers>
<server>
<id>repoID</id>
<username>myuser</username>
<password>mypaswrod</password>
</server>
</servers>
<profiles>
<profile>
<id>snapshot.build</id>
<repositories>
<repository>
<id>repoID</id>
<url>my-url</url>
</repository>
</repositories>
</profile>
</profiles>
<activeProfiles>
<activeProfile>snapshot.build</activeProfile>
</activeProfiles>
</settings>
when I tried to run mvn clean install I got error from mvn because the SAML.
The error because it the mvn didn't succeed to download the relevant dependencies.
The error from MVN "no checkssum avaliable", when I tried to open the file that was download I got html error of SAML
Does MVN support SMAL access ?

Using profiles in maven

I have added below profile to my pom.xml :
<profiles>
<profile>
<id>nexus</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<distributionManagement>
<repository>
<id>nexusid1</id>
<url>http://</url>
</repository>
<snapshotRepository>
<id>nexusid2</id>
<url>http://</url>
</snapshotRepository>
</distributionManagement>
</profile>
</profiles>
I have added to settings.xml :
<server>
<id>nexusid1</id>
<username>username</username>
<password>passwword</password>
</server>
To add the project to the Nexus repo I use mvn deploy
Do I need to use a profile in this case ?
If I want to deploy to nexusid2 does this mean I need to add a new server entry to settings.xml even if the username/password for nexusid1 & nexusid2 are the same ?
According to this page, there is a -DaltDeploymentRepository argument for mvn:deploy. But imho, profiles would be the more elegant solution here, cause you don't need to remember the server id but the profile name.
And yes, you need to add a new server to the settings.xml, even if username and password are equal.
Note besides: Password encryption for server management

Maven - <server/> in settings.xml

I use tomcat-maven-plugin to deploy my war to a server. What I have to do is configure it like this in my pom.xml:
<configuration>
...
<url>http://localhost/manager</url>
<username>admin</username>
<password>admin</password>
...
</configuration>
But then I obviously want to keep this settings in a different place since I work on my computer but then there's a staging and a live server as well where the settings of the server are different.
So let's use the .m2/settings.xml:
<servers>
<server>
<id>local_tomcat</id>
<username>admin</username>
<password>admin</password>
</server>
</servers>
Now change the pom.xml:
<configuration>
<server>local_tomcat</server>
</configuration>
But where to put the URL of the server? There's no place for that in the settings.xml under the server tag! Maybe like this?
<profiles>
<profile>
<id>tomcat-config</id>
<properties>
<tomcat.url>http://localhost/manager</tomcat.url>
</properties>
</profile>
</profiles>
<activeProfiles>
<activeProfile>tomcat-config</activeProfile>
</activeProfiles>
..and use the ${tomcat.url} property.
But then the question is, why use the server tag in settings.xml at all? Why not use properties for the username and password as well? Or is there a place for the URL as well in the settings URL so I don't have to use properties?
First off let me say, profiles are one of the most powerful features of Maven.
First make a profile in your pom.xml that looks like this:
<profiles>
<profile>
<id>tomcat-localhost</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<tomcat-server>localhost</tomcat-server>
<tomcat-url>http://localhost:8080/manager</tomcat-url>
</properties>
</profile>
</profiles>
Then in your ~/.m2/settings.xml file add servers entries like this:
<servers>
<server>
<id>localhost</id>
<username>admin</username>
<password>password</password>
</server>
</servers>
The configure your build plugin like this:
<plugin>
<!-- enable deploying to tomcat -->
<groupId>org.codehaus.mojo</groupId>
<artifactId>tomcat-maven-plugin</artifactId>
<version>1.1</version>
<configuration>
<server>${tomcat-server}</server>
<url>${tomcat-url}</url>
</configuration>
</plugin>
This will enabled your tomcat-localhost profile by default and allow you to deploy to it with a simple mvn clean package tomcat:deploy.
To deploy to other targets, set up a new <server/> entry in settings.xml with the appropriate credentials. Add a new profile but leave off the <activation/> stanza and configure it to point to the appropriate details.
Then to use it do mvn clean package tomcat:deploy -P [profile id] where the [profile id] is the new profile.
The reason that credentials is set in the settings.xml is because your username and password should be secret in most cases, and there is no reason to deviate from the standard way of setting up server credentials that people will have to adapt to.
settings.xml
<settings>
<servers>
<server>
<id>company.jfrog.io</id>
<username>user-name</username>
<password>user-password</password>
</server>
</servers>
</settings>
pom.xml
<repositories>
<repository>
<id>company.jfrog.io</id>
<url>https://company.jfrog.io/company/release</url>
</repository>
</repositories>
Put settings.xml to
c:/Users/user-name/.m2/settings.xml (for Windows),
~/.m2/settings.xml (for Linux).
company.jfrog.io can be any identifier, but it should be the same in settings.xml and pom.xml.
This works for Maven 3.

Resources