Managing local maven repository with Apache Archiva - licenses

Question

I am trying to regain control of dependencies used by our projects by migrating from zero management (local lib folder) to a locally managed system (Archiva).

Each of our dependencies already resides in a separate directory, similar in structure to what Archiva creates. An individual directory contains the dependency jar, source zip/jar, javadoc zip/jar and a text file with the license for the dependency. The latter is needed by the build process, since the final products need to contain a third party licenses directory, where all the dependency licenses are gathered in form of files (not URLs).

I have (after reading documentation and trial/error) managed to properly upload all artifacts of a dependency, except its license. While the txt files representing licenses are uploaded, I fail to understand how one is supposed to indicate that such a file is a license for the dependecy.

I have tried to edit the POM file of the dependency to include licensing info, and then retrieve it in Maven via license-maven-plugin:

<?xml version="1.0" encoding="UTF-8"?>
<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <modelVersion>4.0.0</modelVersion>
  <groupId>org.example</groupId>
  <artifactId>example</artifactId>
  <version>2.5.2</version>

  <licenses>
      <license>
          <url>http://localhost:8282/archiva/repository/myrepo/org/example/example/2.5.2/example-2.5.2-LICENSE.txt</url>
      </license>
  </licenses>
</project>

But this does not work. The plugin spews out HTTP 401 errors, if I try this.

--- license-maven-plugin:1.14:download-licenses (download-licenses) @ maventest ---
Unable to retrieve license for dependency: org.example:example
http://localhost:8282/archiva/repository/myrepo/org/example/example/2.5.2/example-2.5.2-LICENSE.txt
Server returned HTTP response code: 401 for URL: http://localhost:8282/archiva/repository/myrepo/org/example/example/2.5.2/example-2.5.2-LICENSE.txt

It seems somewhat non-intuitive that I have to specify a full URL for the license - the file is right there on the server next to the associated jar dependency and POM file itself (and they are both downloaded without Unauthorized errors) - but that is what the parameter wants. It almost seems that licenses are expected to be hosted on some external publicly available site and not in the repository itself.

Explicitly stating a dependency in project POM of course works, as far as downloading goes:

<dependency>
    <groupId>org.example</groupId>
    <artifactId>example</artifactId>
    <version>2.5.2</version>
    <classifier>LICENSE</classifier>   
    <type>txt</type>         
</dependency>

But that doesn't feel right - not even sure how one would reference it in build process in order to copy to appropriate places.

How does one properly handle license artifacts in a repository managed by Archiva? How does one reference them properly in their Maven projects?

Answer 1

There is a special Guest user account in Archiva, which does not require username and password in order to authenticate. By default it will have Repository Observer access rights only for built in repositories (snapshots and internal) that come with a fresh Archiva instance. The Repository Observer role is basically read access for a repository and artifacts within.

If you want to read random files in a custom local repository via their full URL without the need to authenticate, you will have to add Repository Observer rights for the repository in question to the Guest user.

Doing this allowed me to circumvent HTTP 401 errors and made the license plugin work in my case, so my POM file is perfectly okay.

Exact steps for managing Guest (or any other user) account are described in Manage Archiva Users, a section of Administrators Guide.

Still do not know if it is a good practice to handle licenses this way, however. It seems keeping them in some remote location is preferred, which I'm assuming based on the structure of <licenses> property in a POM file (url only, no relative paths).