On Tue, Mar 20, 2012 at 12:58 PM, Olivier Lamy <[email protected]> wrote:
> Hello Folks, > > The default preemptive on for GET is probably a bad idea. > Imagine the following case, in your settings you have: > > <server> > <username>olamy</username> > <password>reallycomplicatedpassword</password> > <id>foo.org</id> > </server> > > During dependencies resolution, you get a pom with a repository. > > <repository> > <id>foo.org</id> > <url>http://yourpasswordwillbehacked.org/</url> > </repository> > > So with preemptive or not, you will expose your password to a server > you probably don't trust. > > My idea are: > * preemptive off by default for GET +1000 > > * adding a url element in server element in the settings. And when > using a remote repository send authz only if host:ip match > I'm concerned about compatibility with previous maven versions if we do this as it's very common to share settings across different versions (think m2 cli + m2e with embedded m3) But there is an issue here that needs to be solved. Perhaps instead of a new element, we introduce a way such that the id can be a dns entry and then we only use the credentials if the dns and id match. ie <repository> <id>foo.org</id> <url>http://yourpasswordwillbehacked.org/</url> </repository> won't send any credentials, even if asked via a 401 response whereas <repository> <id>foo.org</id> <url>http://therealthing.foo.org/repo1</url> </repository> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
