Summary

This article provides a step-by-step guide on setting up a JFrog Maven remote repository, configuring the pom.xml and settings.xml files, and integrating the repository with CI/CD tools.

Abstract

The blog post details the process of configuring a Maven remote repository in JFrog Artifactory, explaining the benefits of using such a repository for caching, performance optimization, reliability, availability, and security. It outlines the steps to create a remote repository, add it to the pom.xml file, and set up authentication in the settings.xml file. The article also discusses how to use the repository with CI/CD tools like Jenkins or GitHub Actions, emphasizing the importance of securely managing credentials. The author concludes by providing practical examples and commands to verify the setup and ensure that builds are correctly routed through the JFrog repository.

Opinions

The author believes that using a JFrog Maven repository is preferable to directly accessing Maven Central, especially within organizational environments.
The article conveys that caching dependencies locally through JFrog Artifactory can significantly improve build times and reduce unnecessary downloads.
It is suggested that using JFrog Artifactory enhances the reliability and availability of build processes by preventing interruptions due to external network issues or downtime of Maven Central.
The author emphasizes the importance of security and compliance, advocating for the use of JFrog Xray to block vulnerable dependencies.
The author expresses a personal preference for GitHub Actions as a CI/CD tool, highlighting the ability to securely manage sensitive information using secrets.

How to Set Up JFrog Maven Remote Repository : Configuring POM, Settings.xml, and Build Process

Hi Amigos! In this blog, we’ll be setting up our Maven remote repo in JFrog , super easy! Then, we’ll tweak the pom.xml file to point to our brand new repo. Finally, we’ll build our Maven project and give it a quick spin to make sure everything’s running smoothly. Let’s dive in!

Why create a JFrog Maven repo instead of just using Maven Central ? Well, here’s the deal, most organizations don’t directly rely on Maven Central. In fact, production VMs might not even have access to it!

Here’s the twist, we’ll access Maven Central through our JFrog server. Sounds cool, right? But you’re probably wondering why this setup makes sense. Let’s break down the main reasons!

Caching and Performance Optimization :

Artifactory caches dependencies fetched from Maven Central, which speeds up build times

Dependencies are pulled from the local cache instead of being downloaded from the internet every time, reducing unnecessary downloads, especially useful for large teams or frequent builds

Reliability and Availability :

Your builds won’t be affected by external network issues or Maven Central’s downtime

Even if Maven Central is temporarily unavailable, Artifactory ensures your builds continue without interruption

Security and Compliance :

Accessing Maven Central directly can expose your environment to unverified or potentially malicious artifacts.

With Artifactory, you can enforce security policies, like blocking vulnerable dependencies using tools like JFrog Xray

So, there are usually 2 ways to handle this

(1) IT team might manage the central repo with verified dependencies

(2) We can directly use the Central Maven repo via our jfrog repo. We’re going with this option, but don’t worry, the process will be the same for other sources. We just need to change the repository source URL, and that’s it!

Now, let’s go ahead and create our Maven remote repository on our JFrog server

Go to Administration → Add Repository → Remote Repository

Enter the name for your repository

Provide the URL : https://repo1.maven.org/maven2/ (Since we’re using the Maven Central repo in our case)

If there are any credentials required, enter them and test the connection

Tip : If the connection fails (which can happen when connecting from an organization’s environment), go to the Advanced tab, enable proxy settings, and try again

Yay! Our remote repo is ready and ready to go

Let’s add the JFrog Artifactory repository to the <repositories> section of your pom.xml like below

<repositories>
<repository>
       <id>Jfrog-id</id> 
       <name>Jfrog Repository</name>
       <url>https://test-jfrog-server/artifactory/maven-test-repo</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
</repositories>

The true under allows Maven to use release versions of dependencies from this repository. A release version is a stable version, typically one that is considered production-ready (1.0.0)

The true under allows Maven to use snapshot versions of dependencies from this repository. A snapshot version is a version under active development, typically not considered stable, and it can change frequently (1.0.0-SNAPSHOT)

Now, we will set up authentication for our JFrog repo in the settings.xml file

If your JFrog repository requires authentication, you can add your credentials to Maven’s settings.xml file, usually located at

Linux/Mac: ~/.m2/settings.xml
Windows: %USERPROFILE%\.m2\settings.xml

    <server>
      <id>Jfrog-id</id>
      <username>CJwrites</username>
      <password>3JrcmR*</password>
    </server>
    <server>

Else, If you want all projects on your system to use the JFrog repository by default, you can configure a in settings.xml

    <mirrors>
        <mirror>
            <id>jfrog-artifactory-mirror</id>
            <mirrorOf>*</mirrorOf> 
            <url> https://test-jfrog-server/artifactory/maven-test-repo </url>
        </mirror>
    </mirrors>

# Add authentication
    <servers>
    <server>
      <id>jfrog-artifactory-mirror</id>
      <username>CJwrites</username>
      <password>3JrcmR*</password>
    </server>
  </servers>

We are ready! Now, we will try to build our Maven-based Java project and verify if the requests are routed to our repository properly

Command : mvn clean install

[INFO] Scanning for projects…

[INFO] Downloading: https://test-jfrog-server/artifactory/maven-test-repo/commons-lang3/3.12.0/commons-lang3-3.12.0.pom

If you’re looking to use CI/CD tools like Jenkins or GitHub Actions, here’s a simple way to do it

I personally use GitHub Actions. I’ll keep the settings.xml file in the repo, but don’t worry! I won’t expose the server, username, password, or any sensitive info. Everything is saved as a secret, and when it’s time to run, it’ll pull the secrets securely

<servers>    
</server>
    <server>
      <id>jfrog-artifactory-mirror</id>
      <username>${JFROG_USERNAME}</username>
      <password>${JFROG_PASSWORD}</password>
    </server>
  </servers>
    <mirrors>
        <mirror>
            <id>jfrog-artifactory-mirror</id>
            <mirrorOf>*</mirrorOf> 
            <url> ${JFROG_SERVER}</</url>
        </mirror>
    </mirrors>

Also, I’ll move the settings.xml file to the path using a job, like this

- name: Copy settings.xml to Maven directory
  run: |
       # Create the .m2 directory if it doesn't exist
       mkdir -p ~/.m2
        
       # Copy the settings.xml from the repository to the .m2 directory
       cp settings.xml ~/.m2/settings.xml

That’s a wrap! Thanks for reading. Loads of love to you and your family ❤️