Share your thoughts in the 2024 State of Clojure Survey!

Welcome! Please see the About page for a little more info on how this works.

+2 votes
in tools.deps by
retagged by

Hello,

When I try to use Maven Password Encryption, dependency resolution fails with 401 HTTP error code because tools.deps sends encrypted password from settings.xml without decryption. I used the following scenario:
1. Create settings.xml and settings-security.xml with encrypted master and server passwords according to the Maven guide.
2. Add the repository from settings.xml to deps.edn according to Maven authenticated repos guide
3. Ensure that ~/.m2/repository doesn't have some Maven dependency from deps.edn
4. Create pom.xml with the same list of dependencies as those that are in deps.edn
5. Run clj -X:deps tree. The command fails with 401 HTTP error code
6. Run mvn dependency:tree. The command resolves and downloads all dependencies
7. Remove some dependencies from ~/.m2/repository
8. In settings.xml replace encoded server password by plain text server password
9. Run clj -X:deps tree. The command resolves and downloads all dependencies

I've looked to sources of tools.deps and it looks like there is no support of such passwords, but it can be the case that I was looking in wrong places.

Could you please help me to understand - am I using incorrect configuration in deps.edn, or tools.deps doesn't support encrypted Maven passwords?

1 Answer

0 votes
by

You are correct in that tools.deps does not currently support encrypted Maven passwords in the settings.xml. I have logged a jira for this at https://clojure.atlassian.net/browse/TDEPS-255.

by
I've created a patch that adds such support. Can I share it somehow?
by
I've sent you an invite to join jira so you can contribute on the jira. Even more so than the patch, would welcome a discussion on approach first. Not sure if there are Maven APIs you can use for this or if it would require xml parsing etc.

And there are definitely many possible ways to convey the master Maven password for decryption so would like to see a discussion of tradeoffs for that.
...