Configure jcenter for only downloading artifacts and Artifactory for deploying artifacts

Question

We have Artifactory setup and we use Maven central repo for downloading artifacts, which are then automatically cached in Artifactory. We also upload/deploy our own artifacts in Artifactory.

I now want to replace Maven central repo with jcenter and would like to continue using our Artifactory for uploading/deploying our own artifacts and for also caching the jcenter (and any third-party) artifacts. I can ask all developers to modify their settings.xml file as it will be a one-time activity so that's not a problem.

I saw this link by @helmedeiros which describes making changes in <repositories> and <pluginRepositories> section of settings.xml file. However, those are the sections where i specify URL for our Artifactory server. If i replace my Artifactory URL, then it would mean that i will be able to both fetch and upload artifacts from jcenter which is not what i want.

How can i ensure that all developers are only able to pull (NOT deploy/upload) from jcenter and deploy/upload ONLY to Artifactory?

Here's what we have right now in settings.xml:

<?xml version="1.0" encoding="UTF-8"?>
<settings xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd" xmlns="http://maven.apache.org/SETTINGS/1.1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <servers>
    <server>
      <username>${security.getCurrentUsername()}</username>
      <password>${security.getEscapedEncryptedPassword()!"*** Insert encrypted password here ***"}</password>
      <id>central</id>
    </server>
    <server>
      <username>${security.getCurrentUsername()}</username>
      <password>${security.getEscapedEncryptedPassword()!"*** Insert encrypted password here ***"}</password>
      <id>snapshots</id>
    </server>
  </servers>
  <profiles>
    <profile>
      <repositories>
        <repository>
          <snapshots>
            <enabled>false</enabled>
          </snapshots>
          <id>central</id>
          <name>libs-release</name>
          <url>https://inhouse-artifactory/artifactory/libs-release</url>
        </repository>
        <repository>
          <snapshots />
          <id>snapshots</id>
          <name>libs-snapshot</name>
          <url>https://inhouse-artifactory/artifactory/libs-snapshot</url>
        </repository>
      </repositories>
      <pluginRepositories>
        <pluginRepository>
          <snapshots>
            <enabled>false</enabled>
          </snapshots>
          <id>central</id>
          <name>plugins-release</name>
          <url>https://inhouse-artifactory/artifactory/plugins-release</url>
        </pluginRepository>
        <pluginRepository>
          <snapshots />
          <id>snapshots</id>
          <name>plugins-snapshot</name>
          <url>https://inhouse-artifactory/artifactory/plugins-snapshot</url>
        </pluginRepository>
      </pluginRepositories>
      <id>artifactory</id>
    </profile>
  </profiles>
  <activeProfiles>
    <activeProfile>artifactory</activeProfile>
  </activeProfiles>
</settings>

I will really appreciate any help in this regard.

Answer 1

I have exactly the same question :)

My solution is to create an Artifactory virtual repository (forgerock-third-party-virtual) to cache most of the public artifacts.

This virtual repository includes a remote repository based on jcenter:

On the virtual repository, there is no default deployment repository:

So with this setting, I hope the developers won't be able to push in this virtual repository.

According to the JFrog documentation , you have select one repository in this drop-down to be able to push into a virtual repository.

Regarding the deployment settings, we also have a parent pom where we specified our own repositories in the <distributionManagement> section.

On my build machines, I've added this profile (in .m2/settings.xml) to cache the artifacts:

 <profile>
  <id>force-third-party-repo</id>
  <activation>
    <activeByDefault>true</activeByDefault>
  </activation>
  <repositories>
    <repository>
      <id>forgerock-third-party</id>
      <name>ForgeRock Third Party Repository</name>
      <url>http://maven.forgerock.org/repo/forgerock-third-party-virtual</url>
      <snapshots>
        <enabled>true</enabled>
      </snapshots>
      <releases>
        <enabled>true</enabled>
      </releases>
    </repository>
  </repositories>
   <pluginRepositories>
    <pluginRepository>
      <id>forgerock-third-party</id>
      <name>ForgeRock Third Party Repository</name>
      <url>http://maven.forgerock.org/repo/forgerock-third-party-virtual</url>
      <snapshots>
        <enabled>true</enabled>
      </snapshots>
      <releases>
        <enabled>true</enabled>
      </releases>
    </pluginRepository>
  </pluginRepositories>
</profile>

I have other settings in this file to declare our own Artifactory repositories (for pushing/pulling our own artifacts) + some Maven credentials.

I did some tests with one of our Maven projects and it was working fine.

Once the new .m2/settings.xml will be ready, I'll push a template in an internal Artifactory repository, so the developers will be able to get this template with a curl command.

FYI, this is a POC for the moment. We want to move in production with these settings in a few days.