ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran" <stev...@iseran.com>
Subject Password storage (was Re: FTP & JSPC)
Date Tue, 01 Aug 2000 19:54:09 GMT

----- Original Message -----
From: "Roger Vaughn" <rvaughn@seaconinc.com>
To: <ant-dev@jakarta.apache.org>
Sent: Tuesday, August 01, 2000 07:25
Subject: Re: FTP & JSPC


> Thanks for the comments.  Part of my goal in developing builds is that
they must
> be fully automatable.  I'm opposed to pop-up dialogs or even interactive
> command-line for that reason.  (The Microsoft signcode tool *really* bugs
me for
> this reason - it pops up a dialog for passwords.)  The environment
variable
> solution you suggest is slightly better - but in an automated environment
just
> moves the problem to a script file.
>
> Perhaps we need a password storage utility similar to way cvs login
handles things
> - encoding the passwords in a private file.  These could be read by Ant
using a
> standard mechanism - perhaps a new task to read a password and store it in
a
> property, or maybe a method in Task to read a password, so tasks that need
them
> can access them internally.  Then the tag for a task would only need to
include
> some sort of key for the password, rather than the password itself.

How about having your task include the password in a property in the command
line? This needs no extra code and you can keep the password out of
everywhere except your .history or equivalent?

To be honest, if you are using ftp or basic-auth HTTP then the pass is being
sent out in 'lightly massaged plaintext' anyway, so being vastly paranoid
about text encoding is probably overkill.

But if you are paranoid then the java.security.Keystore class is the place
to start -except it is a Java1.2 feature (and security changed again in
java1.3) . So doing sophisticated password protection is going to be tricky
across all ant supported platforms. Also I dont know how well the keystore
really encrypts stuff, especially in exported JVMs.

    -Steve

[Who only trusts all his important passwords to Bruce Schneiers Password
Safe app from counterpane.com, and then with a long passphrase]




Mime
View raw message