Credentials for mirror

[Dichotomia]

Hi,

I use mirrors and credentials in settings.xml
https://maven.apache.org/settings.html#mirrors

Credentials doesn't seem to work for a mirror.

Best regards

[gzm55]

project servers.server[].{username,password,privateKey,passphrase,filePermissions,directoryPermissions} are ignored. Because the project settings will be commit into the scm repo, it is not secure to save the credentials into your repo. Now the mirror credentials could only be set in the user settings.xml.

[dirkey]

I think it's not a good idea to ignore any setting. There are some use cases where it makes total sense.
Most enterprises host a dedicated or a shared repo. Reading and Deploying needs authentication. Clearly, you should never commit your credentials which got deploy capabilities. On the other hand, the reading authentication is shared over the wiki or email anyways.
In our case: I wish I could provide a settings file with the credentials for accessing the repo. The build server overwrites it with the -s ci_settings.xml file. So, no harm involved. If the developer got the rights to clone the project, he don't need to change any files at all.

[gzm55]

I wish I could provide a settings file with the credentials for accessing the repo

the developer will still have to setup the environment once to bootstrap projects in your org, then it should be better done in the user settings like the standard maven way.

in my similar case, the project repo holds a mirror url with a unique server.id in project level settings.xml from the org, and the org should distribute the credentials for each developer or team to access the mirror. then the credentials are owned by the user, and should be merged into there own user level settings.xml. In ci environment, the org provides a common user level settings.xml, reading the credentials from environment variables which are injected into ci jobs by the ci platforms (gitlab/gitlab/traviis-ci, etc.) via secret ci variables.

[dirkey]

Yes, exactly! You need manual tasks to do so. Some projects even checkin the settings.xml in the repo, with the part to copy and paste to the users settings.xml. But why! Why we need this manual task, where there is the authentication known in the company anyway. It should only deny access from the outer world.
Please consider: This should only be for a user to read the repository (not deploy)!
If the ignore is mention to be a security feature, you should stop the build if these settings are present. Ignore don't stop developer to add them anyway.

[gzm55]

I agree to remove manual tasks in the building process amap. this ext does try to eliminate some of manual jobs without introducing new troubles.
if the project level server.password overrides the user level, and someone uploads their own user/password, then other developers may get the incorrect identity and permission to the mirror, and that could even block the building progress.
that is, the user loses the control the of his identity in some scenarios, even if the project level server.password is well encrypted without any security concerns.