You can open this sample in an IDE that supports Gradle.

This sample shows how credentials can be used when publishing artifacts to a Maven repository using project properties. This approach allows you to keep sensitive configuration out of your project’s source code and inject it only when needed.

The code in the maven-repository-stub directory builds a plugin used to stub the Maven repository in order to demonstrate the authentication flow. It expects the following hardcoded credentials on the server stub:

maven-repository-stub/src/main/java/com/example/MavenRepositoryStub.java
private static final String USERNAME = "secret-user";
private static final String PASSWORD = "secret-password";

In a real project, your build would point to a private repository for your organization.

The published project has some sample Java code to be compiled and distributed as a Java library. Gradle build file registers a publication to a Maven repository using provided credentials:

build.gradle.kts
publishing {
    publications {
        create<MavenPublication>("library") {
            from(components.getByName("java"))
        }
    }
    repositories {
        maven {
            name = "mySecureRepository"
            credentials(PasswordCredentials::class)
            // url = uri(<<some repository url>>)
        }
    }
}
build.gradle
publishing {
    publications {
        library(MavenPublication) {
            from components.java
        }
    }
    repositories {
        maven {
            name = 'mySecureRepository'
            credentials(PasswordCredentials)
            // url = uri(<<some repository url>>)
        }
    }
}

Credentials will be required by the build only if the task requiring them is to be executed - in this case the task publishing to the secure repository. This allows to build the project without worrying about the credentials. Try running ./gradlew jar and it will succeed. Run ./gradlew publish and it will tell you what is missing right away, without executing the build. Credentials can and should be kept externally from the project sources and be known only by those having to publish artifacts, perhaps injected by a CI server.

Credential values are provided using Gradle properties and can be passed to the publish task in multiple ways:

  • via command-line properties:

$ ./gradlew publish -PmySecureRepositoryUsername=secret-user -PmySecureRepositoryPassword=secret-password
  • via environment variables:

$ ORG_GRADLE_PROJECT_mySecureRepositoryUsername=secret-user ORG_GRADLE_PROJECT_mySecureRepositoryPassword=secret-password ./gradlew publish
  • by setting the properties in gradle.properties file:

mySecureRepositoryUsername=secret-user
mySecureRepositoryPassword=secret-password

and running

$ ./gradlew publish

The sensitive data is kept outside of the project sources since the gradle.properties file can reside in the user’s ~/.gradle directory.

For more information about using Gradle properties, see Gradle Properties user manual chapter.