Encrypted SCM Passwords in Maven

28 Aug 2009

A little late night hacking and I was able to get encrypted passwords to work in the Maven SCM plugin with Maven 2.2 based on the prodding of Kurt Tometich, an NFJS attendee, and his JIRA bug# SCM-495. Previously, this encryption feature only worked for Wagon providers (the connectors for uploading artifacts), not for SCM providers, contrary to some blog comments.

It was quite the effort. After a few minutes, I found the code in DefaultMaven.java that performed the decryption. Now, I thought, "just implement a similar call in AbstractScmMojo.java right?" I harbor a bit of angst for the fact that the JIRA isn't Fisheye-connected to the source code repository, so finding the files changed for a given defect is much harder than it should be.

The Maven Mojo Developer Cookbook did offer a bit of insight (though syntactically off a bit on the container.getLookupRealm()) on how to get a handle to the container and look up the security provider, DefaultSecDispatcher.java.

[java] SecDispatcher sd = null; try { sd = (SecDispatcher)container.lookup( SecDispatcher.ROLE, "maven" ); } [/java]

There was even the fabled "java.lang.ClassCastException: org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher cannot be cast to org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher" at one point. Oh nuts. Not the classloader scoping issue, please...

The trick on the classloader is that the DefaultSecDispatcher class is available via a dependency to plexus-sec-dispatcher, but also included (repackaged) in the Maven core distribution maven-2.2.0-uber.jar. So the SCM provider project's dependency on plexus-sec-dispatcher has to be scoped as <provided> for compilation of the maven-scm-plugin.

Lots of learning about the Maven code base occurred. The only interesting finding was how, instead of putting the decryption on the accessor (getter) of password from the settings data structure, it is put in each place it is attempted to be used (e.g. the Wagon "dispatcher", and now the SCM "dispatcher"). I'll bring up a refactoring of that with the Maven IRC folks...