Maven server authentication as profile properties

Question

Hi all,

I am trying to setup a shared authentication system on a build server. We have several maven projects that declares how the deployment should be done regarding the different teams that we have (each team has its own authentication user/password):

<profile>
  <id>release-profile</id>
  <distributionManagement>
    <repository>
        <id>rep-releases</id>
        <name>rep-releases</name>
        <url>http://somewhere-releases&lt;/url&gt;
    </repository>
    <snapshotRepository>
        <id>rep-snapshots</id>
        <name>rep-snapshots</name>
        <url>http://somewhere-snapshots&lt;/url&gt;
    </snapshotRepository>
  </distributionManagement>
</profile>

Then I declare in the settings.xml the authentification to the declared servers as following:

<servers>
  <server>
    <id>rep-releases</id>
    <username>${release.user.name}</username>
    <password>${release.user.password}</password>
  </server>     
  <server>
    <id>rep-snapshots</id>
    <username>${release.user.name}</username>
    <password>${release.user.password}</password>
  </server>      
</servers>

Finally, depending on the projects I want to deploy I have several profiles defined in the settings.xml of the build server:

<profile>
  <id>dep-team1</id>
  <activation>
    <activeByDefault>false</activeByDefault>
  </activation>
  <properties>
    <release.user.name>team1-user</release.user.name>
    <release.user.password>team1-password</release.user.password>
  </properties>
</profile>

The problem is that when doing a deploy of the project I got an authentication error (HTTP 401) like the following:

Error deploying artifact: Failed to transfer file: http://......./my-project-0.2-20090423.123247-3.pom. Return code is: 401

If I modify the server authentication by replacing the properties with the user/password of the team, all is working fine.

Don't the tags <servers><server> accept values as properties?

How do others setup their build system in order to achieve the same?

Thanks for your help.

Edit: I am using hudson, a solution for me can be to install several time maven2 and have duplicated settings (except user/password) for each team and tie each project to the good maven installation. I must admit that this solution does not enchant me...

Answer 1

First of all, I do not see how dep-team1 profile is connected to the distributionManagement tag - it seems to need release-profile to be active.

Second, I have my profile element structured a bit differntly (see, there is no distributionManagement tag within). Not sure if it makes the difference.:

<profile>
  <id>release-profile</id>
  <repositories>
    <repository>
      <id>central</id>
      <url>http://central&lt;/url&gt;
      <releases><enabled>true</enabled></releases>
      <snapshots><enabled>true</enabled></snapshots>
    </repository>
  </repositories>
</profile>

Here is the distribution management:

</project>
   <distributionManagement>

    <repository>
      <id>releases</id>
      <url>http://myurl/releases&lt;/url&gt;
    </repository>

    <snapshotRepository>
      <id>snapshots</id>
      <url>http://myurl/snapshots&lt;/url&gt;
    </snapshotRepository>

  </distributionManagement>
</project>

Answer 2

The easiest and most direct method if you have multiple teams and thus multiple auth schemes, is just use a different id in the distributionManagement. So instead of rep-releases/rep-snapshots, you can have team1-repo / team2-repo (there's generally no value in separating the auth between release and snapshots...particularly if you use a repo manager with good security controls)

Then in the settings of your build machine, just define a user and password for each team for the build server.

This approach does have a draw back that it would mess up inheritence if you defined the repos in a single corporate pom...but if you have a team level pom it would be easy.

Another thought is why does the same build machine need to login as a different person when doing builds? Shouldn't that build machine have mostly full access?