commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ross Gardler <>
Subject Re: JJar via authenticating proxy
Date Mon, 03 Jun 2002 12:32:16 GMT

Geir Magnusson Jr. wrote:

> On 6/3/02 7:22 AM, "Ross Gardler" <> wrote:
>>(copied back to jakarta-commons in case anywone there has a better idea)
> I assume that you didn't guess I sent it privately for a reason?

Ooops, sorry.

> I didn't want there to be any expectation of delivery, as I have an awful
> track record lately on this...

Well I am more than willing to help with the coding of this section.

 >> 1. Put the username and password in the ANT build file and pass them 
 >> to the JJAR test
 >> 2. Have ant ask for the username and password interactively and pass the
 >> values to the JJAR task
 >> 3. Define our own System propoerties to hold the username and passsword
 >> and have JJAR extract them from there

>>1 & 3 have a problem in that we either have to force the user to encode
>>the values before setting them or we create a security problem by
>>storing them unencoded.
> Well, uuencoding doesn't make anything secret, just gibberish at first
> glance.  And since we would be sending what is effectively cleartext
> anyway...

A good point.

>>2 is perhaps the best. We could set a property in the build file
>>indicating whether we are connecting through an authenticating proxy or
>>not, thus prompting the user for username and password. Furthermore,
>>using this method we allow the user to decide if they want to store the
>>username/password in the build file and thus prevent the need to type
>>them each time.
>>What do you think?
> The problem with 2 is that it doesn't work for anything automated - for
> example a build system that is run automatically for testing would need to
> have the values somewhere.
> I think what we need is to give people the choice - one option to specify
> the values like #1, and one for #2, so if you want to keep it secret and do
> interactively, you can.
> Since we are talking about a security system that does everything in
> cleartext, doing something fancier doesn't make sense at first.

I agree. If you want assistance just let me what you have got so far and 
  I'll do the rest.


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message