maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Schöchlin (JIRA) <j...@codehaus.org>
Subject [jira] Created: (MNG-4499) Security management: Ease interaction with SSL sites
Date Thu, 17 Dec 2009 13:40:55 GMT
Security management: Ease interaction with SSL sites 
-----------------------------------------------------

                 Key: MNG-4499
                 URL: http://jira.codehaus.org/browse/MNG-4499
             Project: Maven 2 & 3
          Issue Type: Improvement
          Components: Artifacts and Repositories, Command Line, Deployment
    Affects Versions: 3.x
            Reporter: Marc Schöchlin
            Priority: Critical


Development environments often use ssl-certificates which are self-signed or signed by company-internal
certification authorities.

If the certificate is unknown maven outputs the following message:
---
INFO] Scanning for projects...
[INFO] snapshot de.foo.bar:bar-parent:0.0.1-SNAPSHOT: checking for updates from snapshots
[WARNING] repository metadata for: 'snapshot de.foo.bar:bar-parent:0.0.1-SNAPSHOT' could not
be retrieved from repository: snapshots due to an error: Error transferring file: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
[INFO] Repository 'snapshots' will be blacklisted
---
This is disastrous form usability point of view :-)

Procedures like this are very not very convenient for developers:
---
$JAVA_HOME/bin/keytool -import -alias UserTrustExternalCARoot -file UserTrustExternalCARoot.crt
-keystore $JAVA_HOME/jre/lib/security/jssecacerts
export MAVEN_OPTS="-Djavax.net.ssl.keyStore=$HOME/.keystore \
    -Djavax.net.ssl.keyStorePassword=changeit \
    -Djavax.net.ssl.trustStore=$HOME/.keystore \
    -Djavax.net.ssl.trustStorePassword=changeit"
mvn -Dusername=foo deploy
---

Maven should provide an convenient way to accept a unknown certificate.

I my opinion this should implemented like this:
- If the exceptions is raised maven should output a message that the certificate can by downloaded
  and integrated in the keystore in an automated way by invoking the new maven option
  "-dc <hostname> ..<hostname>|--download-certificate <hostname> <hostname>"
- If this option is invoked, maven automatically downloads the certificate/ca for the specified
  domain and adds it to a keystore located in $HOME/.m2/keystores/<domain> an executes
the specified goal
  with this keystore
- If maven is called without the new option, maven uses the keystores in $HOME/.m2/keystores/<domain>
  before giving up on certificate problems


  




-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

Mime
View raw message