Configure Maven Authentication

JFrog Artifactory Documentation

ft:sourceType
Paligo

Artifactory requires user authentication in three cases:

  • Anonymous access has been disabled by unchecking the global Allow Anonymous AccessIntroduction to the General Security Settings setting.

  • You want to restrict access to repositories to a limited set of users

  • When deploying builds (while theoretically possible, it is uncommon to allow anonymous access to deployment repositories)

Authentication is configured in Maven using <server> elements in the settings.xml file.

Each <repository> and <mirror> element specified in the file must have a corresponding <server> element with a matching <id> that specifies the username and password.

The sample snippet below emphasizes that the <repository> element with id=central has a corresponding <server> element with id=central.

Similarly, the <repository> element with id=snapshots has a corresponding <server> element with id=snapshots.

The same would hold for <mirror> elements that require authentication.

In both cases the username is admin and the password is encrypted.

Artifactory encrypts passwords for safe and secure access to Maven repositories

To avoid having to use cleartext passwords, Artifactory encrypts the password in the settings.xml file that is generated. For example, in the above sample snippet we can see that the admin user name is specified in cleartext, but the password is encrypted:Centrally Secure Passwords

<username>admin</username> <password>\{DESede\}kFposSPUydYZf89Sy/o4wA==</password>

Synchronizing authentication details for repositories with the same URL

If you have repository definitions (either for deployment or download) that use the same URL, Maven takes the authentication details (from the corresponding server definition) of the first repository encountered and uses it for the life-time of the running build for all repositories with the same URL. This may cause authentication to fail (producing 401 errors for downloads or deployment) if you are using different authentication details for the respective repositories.This is inherent Maven behavior and can only be solved by using the same authentication details for all repository definitions with the same URL in your settings.xml .