如何在settings.xml中使用artifactory-maven-plugin中的用户名和密码？

Question

Here is a configuration sample of artifactory-maven-plugin :

<build>
    <plugins>
        ...
        <plugin>
            <groupId>org.jfrog.buildinfo</groupId>
            <artifactId>artifactory-maven-plugin</artifactId>
            <version>2.6.1</version>
            <inherited>false</inherited>
            <executions>
                <execution>
                    <id>build-info</id>
                    <goals>
                        <goal>publish</goal>
                    </goals>
                    <configuration>
                        <deployProperties>
                            <gradle>awesome</gradle>
                            <review.team>qa</review.team>
                        </deployProperties>
                        <publisher>
                            <contextUrl>https://oss.jfrog.org</contextUrl>
                            <username>deployer</username>
                            <password>{DESede}...</password>
                            <repoKey>libs-release-local</repoKey>
                            <snapshotRepoKey>libs-snapshot-local</snapshotRepoKey>
                        </publisher>
                    </configuration>
                </execution>
            </executions>
        </plugin>
    </plugins>
</build>

In that case I have to manual setup contextUrl , userName and password . While standart maven deploy plugin uses such parameters from setting.xml (like that):

<servers>
  <server>
    <username>username</username>
    <id>server-id</id>
    <password>pass</password>
  </server>
</servers>

Why jfrom did not use username, url, ... etc. from setting.xml ? Is there a way to specify only server id without pass and username?

Of course someone can define a properties in settings xml and use them in plugin definition, but in that case these properties can be easily shared with all projects and be outputted by anyone to console during third party builds.

<properties>
   <username></username>
</properties>

Answer 1

The official documentation actually suggests a different approach:

Keeping your Artifactory publisher credentials secure
If you prefer to keep your Artifactory publisher credentials ( username and password ) secure (rather than providing them as free text in the plugin configuration), we recommend storing them as environment variables or system properties and have the plugin read them when needed. Since the usual Maven deploy does not support environment variables or system properties in settings.xml , this capability is unique to the Maven Artifactory Plugin.

Hence, indeed the expected functionality of referring to a server id defined in the settings.xml is not implemented .

---

One side note : to enforce good practices, deployments to a Maven Repository should be executed in automated way by a Continuous Integration server (ie Jenkins). In this case, the Artifactory plugin for the CI server (ie the Artifactory Jenkins Plugin ) would handle it in a safe way, centralizing this mechanism only in one place (the CI server), behind user management and governance, avoiding accidental actions from local machine. Things that could go wrong otherwise (publishing from local machine):

• code may not be aligned under version control, publishing a harder to troubleshoot artifact
• tests may have been skipped, publishing a potential bug
• build may be only reproducible on that machine, publishing a non re-buildable artifact

Having it in the pom.xml may indeed expose it somehow to the issues above (somebody from the team could mistakenly trigger it), while automated processes and gates would insure certain steps.

Answer 2

I agree that setting up an automated build box and using jenkins/hudson or some similar product would be ideal for this. If you are strapped for time and still want something that has a little bit more security to it, you could consider setting up ssh authentication. documentation below:

https://www.jfrog.com/confluence/display/RTF/SSH+Integration