Does Maven transmit username/passwords in plaintext over http

If I have a username/password in my settings.xml file for a (Nexus) remote repository with an HTTP (not HTTPS) URL, will this username/password be sent in plaintext to the remote server?

I'm wondering if there's a potential security issue with our public-facing HTTP-only password-authenticated Nexus server.

Solution

Maven uses HTTP Basic authentication to send the credentials. A typical HTTP header for this looks something along the lines of:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Where QWxhZGRpbjpvcGVuIHNlc2FtZQ== is actually a Base64-encoded representation of your username:password combination. This offers no security whatsoever, but it's not plain-text either.

For more details on HTTP Basic authentication, you can check here.

Most build tools like Maven, Ant, Gradle, SBT, npm, use HTTP Basic. That's not as secure as it should be. Using it over HTTPS could make you feel more secure. :)

NullPointerException in Java JDK code while performing parallelStream.forEach(..)
Locating code that is filling PermGen with dead Groovy code
Cannot find test class in project - "The input type of the launch configuration does not exist"
Passing the values to the fraction class in java
How to use different authentication methods for different paths using Spring Security
how to fetch and validate csv header in open csv?
4-Sum algorithm failing with duplicate values in Java
Error getting month while using Calendar object
java Calendar Timezones strange stuff
java.util.Date class with different approach for same date gives different output
Finding out the type of invoked method in JDT
How to get the size of a file in MB (Megabytes)?
Exception in thread "main" java.lang.IllegalStateException: Attempted to load Config resource 'class path resource [application.yml]'
Why does Google Calendar.Events.Watch say my request is not HTTPS
Java - Class.forName, how to get a Field from Class
Use of verify() method with and without times(1) parameter
JDBC connection without database definition
Running my testNG project from a jar using Maven
Do subclasses inherit interfaces?
Spring Security - how can I ask invoke access control methods directly?
most accurate time type in java?
How to get the currently selected application from Windows in Java
validate the credit card expiry date using java?
Finding the square root of a number by using binary search
log4j : current time in milliseconds
Why Joda DateTime gives different result than Java Date?
Tomcat - maxThreads vs. maxConnections
Android notification importance cannot be changed
How to enable all endpoints in actuator (Spring Boot 2.0.0 RC1)
Map rainbow colors to RGB