48

In our setting.xml file we have the following:

<servers>
    <server>
      <id>deploymentRepo</id>
      <username>repouser</username>
      <password>repopwd</password>
    </server>
</servers>

Would it be possible to pass those settings (or their equivalent) via environmental variables instead of the settings.xml?

Improve this question
6
  • 3
    Security concerns. We do not want those values in a file.
    – Jose Martinez
    Commented Jul 6, 2015 at 17:23
  • 5
    if you pass the passwords via environment variables they will appear in the process list. Maven has some support to encrypt passwords: maven.apache.org/guides/mini/guide-encryption.html
    – wemu
    Commented Jul 6, 2015 at 18:38
  • @wemu, thanks for the feedback. we are looking into that also.
    – Jose Martinez
    Commented Jul 6, 2015 at 18:47
  • Exactly the opposite, cause environment variables are visible go the way as @wemu suggested.
    – khmarbaise
    Commented Jul 6, 2015 at 18:58
  • 1
    When building on a CI SaaS, using "private variables" to pass secret tokens to builds through the environment is the BKM and considered secure. Editing a "user home file" is considered insecure.
    – Guss
    Commented Oct 27, 2018 at 16:54

4 Answers 4

Reset to default
101

Yes, you can do this in two ways:

  • passing properties in the command line, using variables. For example, you can use in your settings.xml something like this:
<servers>
    <server>
      <id>deploymentRepo</id>
      <username>${server.username}</username>
      <password>${server.password}</password>
    </server>
</servers>

And in the command line, pass these variables in this way:

mvn clean package -Dserver.username=yourusername -Dserver.password=yourpassword

Please note that passing password as command-line options is a security issue and therefore prefer the second option.

  • exporting environments properties. For example, if you export (in Linux, something like export SERVER_USERNAME=yourusername) SERVER_USERNAME and SERVER_PASSWORD variables, you can use like this:
<servers>
    <server>
      <id>deploymentRepo</id>
      <username>${env.SERVER_USERNAME}</username>
      <password>${env.SERVER_PASSWORD}</password>
    </server>
</servers>

For more information about properties, see the reference documentation.

Improve this answer
0

You can pass values from command line

mvn -Dvar=someValue -Dtest.username=xyz install

In the POM file, you can refer to system variables (specified on the command line, or in the pom) as ${var}, and environment variables as ${env.myVariable} i.e,${test.username}

You can also refer to the sure-fire plugin doc

Improve this answer
0

You can pass the URL including the credentials like

mvn deploy -DaltReleaseDeploymentRepository=myrepo::https://user:pass@server/repo

see https://maven.apache.org/plugins/maven-deploy-plugin/deploy-mojo.html

Improve this answer
0

The world has changed significantly in the past almost a decade since this was first written, so as is often the case with security it can help to start with a bit of threat modelling. Perhaps one will choose to accept the risk, but perhaps one will not if that could have some extremely serious consequences.

If it's one's local machine and an attacker's got in, one has got bigger problems.

More likely if one is reading this today, one is in a cloud security context. Then for example TrendMicro considers environment variables themselves to be full of hidden dangers and thus a security issue, and instead to use a vault (not to be confused with JackRabbit FileVault), for example see this StackExchange comparison of environment variables with Hashicorp Vault, to reduce any identified risks to a minimum and make it harder for cybercriminals.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.