[GRADLE-2365] Maven Repositories Should Use settings.xml For Authentication Created: 27/Jun/12  Updated: 08/Feb/17  Resolved: 08/Feb/17

Status: Resolved
Project: Gradle
Affects Version/s: 1.0
Fix Version/s: None

Type: Improvement
Reporter: Ray Gauss II Assignee: Unassigned
Resolution: Duplicate Votes: 20


A user should be able to define a maven repository with a name and Gradle should obey any authentication defined in their settings.xml.

While the ability to specify credentials for a repository exists, that solution requires the password to be stored in clear text somewhere.

You could specify that in gradle.properties, but that file almost certainly contains other config that needs to be persisted to a SCM system and shared by other devs and there doesn't seem to be a way to load something like a user.properties file that wouldn't be under SCM control. Regardless, the password would still be in clear text.

You could save the password as an environment variable, but again, the password will be saved in clear text somewhere.

A clear text password will be unacceptable in many environments and Maven's server password encryption should be supported: http://maven.apache.org/guides/mini/guide-encryption.html

Comment by Ray Gauss II [ 27/Jun/12 ]

Relates to GRADLE-1039

Comment by Manfred Moser [ 08/Nov/12 ]

Ideally reading the settings file and so on will be supported. This is also specifically important for proxying off and deploying to a company internal repository manager. From what I know the code to read settings.xml is pretty isolated in Maven. You might be able to pull it in as a dependency and just wrap it.

Comment by Manfred Moser [ 08/Nov/12 ]

Also keep in mind that the encryption is only security by obscurity to some extend since the username and password will be decrypted before they are sent across the wire..

Comment by Benjamin Muschko [ 15/Nov/16 ]

As announced on the Gradle blog we are planning to completely migrate issues from JIRA to GitHub.

We intend to prioritize issues that are actionable and impactful while working more closely with the community. Many of our JIRA issues are inactionable or irrelevant. We would like to request your help to ensure we can appropriately prioritize JIRA issues you’ve contributed to.

Please confirm that you still advocate for your JIRA issue before December 10th, 2016 by:

  • Checking that your issues contain requisite context, impact, behaviors, and examples as described in our published guidelines.
  • Leave a comment on the JIRA issue or open a new GitHub issue confirming that the above is complete.

We look forward to collaborating with you more closely on GitHub. Thank you for your contribution to Gradle!

Comment by Benjamin Muschko [ 08/Feb/17 ]

The issue is now tracked on GitHub: https://github.com/gradle/gradle/issues/1236

Generated at Wed Jun 30 12:19:56 CDT 2021 using Jira 8.4.2#804003-sha1:d21414fc212e3af190e92c2d2ac41299b89402cf.