Where do I put my credentials when using Ivy and a private company repository?

Solution 1

Use a settings file with properties controlling the Nexus credentials:

<ivysettings>
    <property name="repo.host" value="default.mycompany.com" override="false"/>
    <property name="repo.realm" value="Sonatype Nexus Repository Manager" override="false"/>
    <property name="repo.user" value="deployment"  override="false"/>
    <property name="repo.pass" value="deployment123"  override="false"/>          

    <credentials host="${repo.host}" realm="${repo.realm}" username="${repo.user}" passwd="${repo.pass}"/>

    ..
    ..
</ivysettings>

When you run the build you can then specify the true username and password:

ant -Drepo.user=mark -Drepo.pass=s3Cret

Update/Enhancement

Storing passwords as properties on the file system requires encryption.

Jasypt has a command-line program that can generate encrypted strings:

$ encrypt.sh verbose=0 password=123 input=s3Cret
hXiMYkpsPY7j3aIh/2/vfQ==

This can be saved in the build's property file:

username=bill
password=ENC(hXiMYkpsPY7j3aIh/2/vfQ==)

The following ANT target will decrypt any encrypted ANT properties:

<target name="decrypt">
    <taskdef name="groovy" classname="org.codehaus.groovy.ant.Groovy" classpathref="build.path"/>

    <groovy>
    import org.jasypt.properties.EncryptableProperties
    import org.jasypt.encryption.pbe.StandardPBEStringEncryptor

    StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor()
    encryptor.setPassword(properties["master.pass"])

    Properties props = new EncryptableProperties((Properties)properties, encryptor);

    props.propertyNames().each {
        properties[it] = props.getProperty(it)
    }
    </groovy>
</target>

Of course to make this work, the password used for encrypting the properties needs to be specified as part of the build.

ant -Dmaster.pass=123

This means the solution is only good for hiding data at rest.

Solution 2

For my purposes the command-line credentials weren't an option because I'm running through Jenkins and they'd be clearly pasted on the build output, so here was my solution which strikes a balance by being reasonably secure.

• Create a properties file in your home directory that contains the sensitive information (we'll call it "maven.repo.properties")

  repo.username=admin
  repo.password=password
  

• Near the top of your build file, import the property file

  <property file="${user.home}/maven.repo.properties"/>
  

• In your publish target under build.xml, set your ivy settings file location (which does get checked in to code control) but embed your credential properties

  <target name="publish">
      <ivy:settings file="ivysettings.xml">
          <credentials host="repohostname" realm="Artifactory Realm" username="${repo.username}" passwd="${repo.password}"/>
      </ivy:settings>
      <!-- ivy:makepom and ivy:publish targets go here -->
  </target>
  

• Create your ivysettings.xml just as you did before, but strip out the username and passwd attributes

You can then leverage your operating system's permissions to make sure that the maven.repo.properties file is properly hidden from everybody except you (or your automatic build implementation).

Solution 3

The ivysettings.xml sample in Mark O'Connor's answer should actually be as follows:

<ivysettings>
  <property name="repo.host" value="default.mycompany.com" override="false"/>
  <property name="repo.realm" value="Sonatype Nexus Repository Manager" override="false"/>
  <property name="repo.user" value="deployment"  override="false"/>
  <property name="repo.pass" value="deployment123"  override="false"/>          

  <credentials host="${repo.host}" realm="${repo.realm}" username="${repo.user}" passwd="${repo.pass}"/>

  ..
</ivysettings>

Means, the property names should not be surrounded by ${...} (it took me quite a while to find out why this failed - but now I know how to debug ivy access - use commons-httpclient-3.0, set everything to verbose etc.)

Author by

kalithlev

Updated on June 03, 2022