54

I need to set up a Maven repository for some internal company libraries, that need to be accessible only to our developers (ie. secure), yet should be securely accessible over the Internet.

I'm familiar with setting up public Maven repos, but am unsure of the best way to set up a private remotely accessible repo.

How can I do this?

sanity
  • 35,347
  • 40
  • 135
  • 226
  • 1
    Off the top of my head, put it behind a VPN that only your developers have access to. – corsiKa Sep 13 '12 at 16:08
  • You cannot set up the repository in the local network? – Jin Kim Sep 13 '12 at 16:08
  • 1
    Many of our developers work remotely, so we don't really have a local network. I'd rather not set up a VPN just for this sole purpose. – sanity Sep 13 '12 at 16:09
  • 3
    The smartest thing to do in this case would be to just put the repository behind your firewall and allow people from the outside to access it over your VPN. You could set up a publicly accessible service that requires all users to present some sort of credentials, but why open your repository to the outside world (and all the risks that entails) when you don't really need anyone from outside your organization to use it? Assuming of course, you have a VPN - but if you have remote employees, you should probably have a VPN so they can access your internal services securely. – matt b Sep 13 '12 at 16:09
  • This link may be helpful in this context - [Maven private remote repository setup](http://stackoverflow.com/questions/20882622/maven-private-remote-repository-setup/28519671#28519671) – Razib Apr 21 '16 at 17:13

4 Answers4

21

The solution is to use a Maven Repository Manager, such as Nexus, Artifactory or Archivia.

You install the MRM on a server and configure it with the authentication details of the users you want to have access it.

You can see a publicly accessible Nexus instance at https://oss.sonatype.org and also at https://repository.apache.org So on that basis it is fairly safe to assume that the authentication in Nexus is reliable and secure.

Artifactory is available as an on-line hosted service, and we use it (the on-line hosted service) for our internal artifact hosting.

Archivia is maintained by some really good guys and I suspect they have that well locked down too.

If you want to get up and running fast and you don't want to have to manage a server, I would recommend using a hosting service such as Artifactory. I do not know if there is an online Nexus or Archivia hosting service.

Now for the disclosures:

  1. JFrog (creators of Artifactory) is a partner of my employers and we use the Artifactory hosting service
  2. Sonatype (creators of Nexus) is a partner of my employers
  3. I am a member of the Apache Software Foundation (creators of Archivia)

I do not recommend which MRM you use. But as a Maven committer and PMC member I strongly recommend using a MRM.

Stephen Connolly
  • 13,872
  • 6
  • 41
  • 63
18

Amazon S3 is the best solution: http://www.stackoverflow.com/questions/850570/maven-s3-wagon-provider, because:

  1. No installation procedures
  2. Hosted by Amazon, highly available
  3. Fully supported by Maven through a few wagons (see the link above)

You may also find this article helpful: http://www.yegor256.com/2015/09/07/maven-repository-amazon-s3.html

yegor256
  • 102,010
  • 123
  • 446
  • 597
  • I would love to use S3, but I'm giving up. There's a few maven s3 wagons but they all seem very fragile and failed in weird ways when things change. For example, I'm not finding any that works on Java >= 9. – Pablo Fernandez Jun 27 '18 at 12:54
13

Since posting this question I discovered JitPack, which makes it incredibly easy to create public (free) and private (cheap) repos directly from Github.

sanity
  • 35,347
  • 40
  • 135
  • 226
  • 7
    I use [repsy.io](https://repsy.io). It gives 1 GB free private maven repository. – Fırat Küçük May 03 '20 at 15:11
  • Tried to deploy from a local linux to repsy. Setup done according to the "Settings Documentation" feature in the web UI of repsy . Getting a 403 Forbidden when deploying via terminal and intelliJ. It seems as if the credentials from ~/.m2/settings.xml aren't read. – JackLeEmmerdeur Nov 29 '20 at 00:15
  • I now can confirm that my ~/.m2/settings.xml is used by maven, as I've setup a self hosted archiva maven repo and entered the credentials in the settings.xml. – JackLeEmmerdeur Nov 29 '20 at 02:10
2

You can place username/passwords on different repos on your server with archiva or nexus. You can also manage who can deploy to those repos.

These can be added to your settings.xml file so you don't have to login every time.

Peter Lawrey
  • 525,659
  • 79
  • 751
  • 1,130