Table of Contents

$password:

   The $password: function shortcut lets you use a password credential without embedding the password directly in your Ant script or loading it into easily leaked Ant properties. Whether the referred to password is clear text or cipher text is application dependent. This funcut works by reading passwords stored in a external source, typically an appropriately protected password file. The $password: funcut is a query only feature– you cannot use it to modify existing data.

By default the password funcut handler looks for the password source in the following places (in order). If it cannot find a match for any of these sources, the funcut handler returns null (which Ant interprets as an unresolved property). Currently AntXtras only supports a single passwords source for any given execution cycle.

  1. It looks for a “passwordfile” artifact URL by checking for a $artifact: function shortcut.
  2. It looks for memory-based properties-like object under the “run.passwords” id. [USE FOR DEBUG]
  3. It looks for a file name under the “jware.antxtras.defaults.passwordfile” property.
  4. It looks for a file “run.passwords” under directory ${user.home}/.ant/.private.
  5. It looks for a fallback password value under the “jware.antxtras.defaults.password” property.

If you use a source password file, you still need to secure it using whatever access control mechanisms your filesystem provides. The running Ant process requires only read access to the file.

Although this funcut is called the “$password:” shortcut, you can also use it to load the user id or user name part of a basic auth credential as well. For instance, you could use fixed marker ids in your scripts, but load both real user name and password from an external file at runtime.

The $password: funcut is automatically installed and enabled by the standard AntXtras funcuts antlib. You can also explicitly install this funcut’s handler; read the Examples section to see how this is done.

Parameters

The general form of the function shortcut is: $password:key where key is the key name for the password to be loaded. Note that we keep saying the password will be loaded (as opposed to will be selected). Unless you’re using a memory-based properties object (not a good idea outside of testing unless values are cipher text), AntXtras will load the password source every time and purge it once done using the data.

Examples

Installing $password: shortcut

The following snippet explicitly declares the password function shortcut and links it to the ‘$password:’ scheme. If you choose to activate shortcuts manually, you’ll need to do something like this at the start of your Ant script’s execution. 

1: <oja:managefuncuts action="enable">
2:   <parameter name="password"
3:     value="${ojaf}.info.PasswordFunctionShortcut"/>
4: </oja:managefuncuts>
Reading a password

The following snippet is an updated form of one of the standard Ant <sql> task examples. This example shows how you would use $password: instead of embedding the sa password directly into your Ant script. Note that the script also verifies that the password file location has been initialized earlier (typically done in an ‘initialize’ target of some kind). 

 1: <fixturecheck isset="${$defaultsproperty:passwordfile}"
 2:   message="The default password file property setup properly"/>
 3: 4: <sql
 5:     driver="org.database.jdbcDriver";
 6:     url="jdbc:database-url"
 7:     userid="sa"
 8:     password="${$password:dbsa}"
 9:     src="${data.sql}"
10: />
Using debug-only passwords

The following snippet shows an example of how you can setup a local <properties> object to hold dummy or local-only credentials during script development. The memory-based development passwords are defined iff the .official property does not exist and the dryrun.enabled flag is set to a positive boolean value like “true”. 

 1: <do unless=".official" ifTrue="dryrun.enabled">
 2:   <datadef name="run.passwords" setid="yes">
 3:     <properties>
 4:       <property name="uploader" value="unsecure12"/>
 5:       <property name="deployer" value="seekrit007"/>
 6:     </properties>
 7:   </datadef>
 8: </do>
 9:10: <signjar jar="${out.d}/lib/mylib.jar"
11:    alias="mygroup" storepass="${$password:uploader}"/>
12:13: <targz tarfile="${pkg.d}/mypkg.tgz" basedir="${out.d}"/>
14:15: <scp file="${pkg.d}/mypkg.tgz"
16:    todir="deployer@somehost:/home/deployer/packages"
17:    password="${$password:deployer}"/>

Related Topics

Back to top