[
https://issues.apache.org/jira/browse/MWRAPPER-46?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17891543#comment-17891543
]
Timur commented on MWRAPPER-46:
-------------------------------
Any progress here?
The problem seems to be very relevant for enterprises. We are quite strict in
terms of downloading binaries from third parties.
As the reporter, we use Nexus.
Exposing environment variables for downloading has an additional usability
drawback - the user must set them beforehand. It makes the Maven wrapper less
useful as the primary purpose of it is to simplify environment configuration.
> Simplify use of Maven Wrapper in different environments (basic auth required)
> -----------------------------------------------------------------------------
>
> Key: MWRAPPER-46
> URL: https://issues.apache.org/jira/browse/MWRAPPER-46
> Project: Maven Wrapper
> Issue Type: Improvement
> Affects Versions: 3.1.0
> Reporter: Jimisola Laursen
> Priority: Normal
>
> I'll describe our use-case as I suspect that we might be alone with this one.
> This ticket relates to:
> # MVNW_REPOURL being insufficient
> # user not being able to set MVNW_USERNAME/PASSWORD in plain text due
> security
> *Prerequisites:*
> * _Self-hosted Maven 2 repo that requires basic auth_ (Nexus with proxy for
> Maven Central)
> * Environments:
> ** Local machine: need to use proxy for Internet, can't set
> MVNW_USERNAME/PASSWORD in plain text due security
> ** Pipeline/Deployment (k8s): need to use proxy for Internet,
> MVNW_USERNAME/PASSWORD are set
> * We want to be able to specify wrapper and/or Maven version (hence, use
> maven-wrapper.properties)
> *Use-case:* all downloads, but local and in cluster/cloud, should go via our
> self-hosted Maven 2 repo that requires basic auth
> *Setup cases:*
> # Setting MVNW_REPOURL in both environments causes two problems:
> ## local machine: we would have to set MVNW_USER/PASSWORD (can't due to
> security risk)
> ## k8s: MVNW_REPOURL environment variable, strangely, doesn't override value
> in maven-wrapper.properties, but vice versa. Is this really common practise?
> Compare with e.g. [Spring Boot's Externalized
> Configuration|https://docs.spring.io/spring-boot/docs/1.2.3.RELEASE/reference/html/boot-features-external-config.html].
> So, we would have to either change the base url in the
> maven-wrapper.properties in k8s explicitly since we want to keep the version
> information for maven-wrapper and Maven.
> # Changing the urls to the self-hosted repo in maven-wrapper.properties:
> ## local machine: we would have to set MVNW_USER/PASSWORD (can't due to
> security risk)
> ## k8s: would work since MVNW_USERNAME/PASSWORD are set
> # Having maven-wrapper.jar checked in doesn't solve the issue since Maven
> itself has to be downloaded as well and basic auth not set.
> *Ideas:*
> # be able to use [Password
> Encryption|https://maven.apache.org/guides/mini/guide-encryption.html] and
> have password encrypted in settings.xml or in MVNW_PASSWORD: issue of course
> being that Maven Password Encryption is not available during bootstrapping.
> # change the behavior of MVNW_REPOURL so that it has the highest priority
> and supersedes defaults in mvnw[.cmd] script as well as in
> maven-wrapper.properties: at least then we can keep a correct
> maven-wrapper.properties (w/ self-hosted Maven repo) and set MVNW_REPOURL to
> Maven Central on local machine for bootstrapping.
> *Proposed semi-solution:*
> * Change priority of MVNW_REPOURL or, for backwards compatibility, add
> another environment variable which supersedes all other settings
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
