Increase your Maven Package’s Exposure by Adding it to JCenter

If you already distribute your Maven packages via Bintray, your packages can gain further exposure by including them in Bintray’s JCenter! (if you are not very familiar with Bintray’s support for Maven, please refer to the user guide and to my previous post).

JCenter is the repository with the biggest collection of Maven artifacts in the world. And it’s on the best software distribution platform around – Bintray. This is where you want your Maven packages to be! CDN speed, user exposure, and live statistics to monitor the use of your artifacts are some of the benefits you get from JCenter. And if you really want to, you can also have your project synced with the older Maven Central repository.

Submit an Inclusion Request to JCenter

To promote sharing of packages within the developer community, once you have uploaded a package to one of your repositories, you can submit a request to the owner of any other repository to have your package included in theirs. If your request is granted, your package can be found just like any other package in that repository. You still maintain full control over the package in your own repository, and any changes you make to it, such as delivering new versions, or even removing it, are automatically synced to the other repository in which it’s included. So to maximize exposure of your Maven package in Bintray, all you need to do is request to have it added to JCenter.
In order to submit a request, just click on the ‘Add to JCenter’ button:

Add Package To JCenter
Once a Bintray moderator approves your request, your package will be available on JCenter, and you will receive a message into your Bintray mailbox. You will also see that your package is now linked to JCenter:
Maven Projects Linked To JCenter

Sync with Maven Central

At this point you can also have JCenter sync your package to Maven Central if you need to serve frameworks still using this repository. All you need to do is click on the ‘Maven Central’ link as shown above. Remember that you need to provide your Sonatype user name to Bintray before the syncing, but don’t worry, Bintray will remind you to do so if you haven’t already added it to your profile under Accounts:
Accounts Sonatype
Bintray takes care of the rest. Please also refer to the step by step instructions for how to sync your artifacts with Maven Central.

Good luck, and keep your package front and JCenter!

Publishing Your Maven Project to Bintray

Bintray gives you everything you need to share your Maven project, and much more: you will be able to monitor downloads and users with the statistics that Bintray keeps for you. You can also share your project via Bintray’s JCenter repository (which is the largest public Maven repository out there), and effortlessly sync it with Maven Central, if you wish.

Just follow these 5 simple steps to upload your Maven project to Bintray:

1. Have your Maven project ready

  • For this use case we will assume we have a maven project with the following groupId: org.jfrog.example.bintray.maven

2. Create a Maven package in Bintray

  • Open a Bintray account if you have not done so before.
  • Use the default Maven repository under your account or create a new one. The is where your Maven files will be hosted.

Create New Maven Repository

  • Under the Maven repository create a new package for your project. The package is merely a logical container that holds metadata about your project and annotates your files to allow Bintray to collect package and version level statistics.
    A good name for your package would be your main artifactId, but any name that logically identifies your project will do just as well.
    In our case, a good example would be: maven-example

3. Add the Bintray distribution URL

Next thing you need to do is to add a distribution section to your project’s pom.xml, and specify the URL from which to distribute your project. We will use our Bintray Maven repository and package as the target for deployment (remember? files in Bintray are always associated with a logical software package).

<distributionManagement>
  <repository>
      <id>bintray-repo-maven-example</id>
      <url>https://api.bintray.com/maven/tamarjfrog/maven-repo/maven-example/;publish=1</url>
  </repository>
</distributionManagement>

For your project to be visible to others, Bintray requires that you publish it. One way to do that is to add the publish directive to the distribution URL as a matrix parameter (;publish=1) as I did in the above example. You can also publish your projects at a later time using  the Bintray UI or via REST.

This block also includes an <id> tag. The id can be any string, but it should match the id in the settings.xml file described in the next step.

4. Provide your credentials to Bintray

In order to work with Bintray you need to provide your Bintray username and API Key as upload credentials in the username and password tags of your Maven settings.xml file. The API Key can be found when editing your Bintray profile page.

<server>
  <id>bintray-repo-maven-example</id>
  <username>tamarjfrog</username>
  <password>***my-top-secret-api-key***</password>
</server>

5. Time to deploy!

You are almost there. This is the time to run

mvn deploy

The project will be built, uploaded to the the Bintray repository target URL you provided, and published. You can now see your files in your Maven package in Bintray.

Maven Package Files List.
At this point, you can add your project to JCenter, the most comprehensive public Maven repository, so your project is well exposed. To read more about that, stay tuned for my next post.

A sample project similar to what I used in this post can be found in GitHub: bintray-examples/maven-examples.

Good Luck!

Enterprise Level Access Control with Keys and Entitlements

entitlements200x190

“Private repositories”, “Teams and Organizations”, “Permissions”…, sounds like that’s all you need to provide secure private downloads. Well, not quite. Those are great features that fit the bill if your consumer is a Bintray user. But what if she isn’t? Well, then there are signed URLs. Those should do the trick. Just sign your file and send your consumer the URL. But what if you want to share an entire repository, package or version with a group of people, but need to give each of them different privileges. Some can only view or download your files, but others should be able to delete your files or upload new ones. Signed URLs don’t cover that kind of control. They are great for single files, but for more fine-grained access control, you need a more sophisticated feature. That’s where entitlements and keys come in.

“Entitlements,” you said? What are those?

Entitlements are privileges you can give anyone…yes anyone, not only Bintray users, to entities in your private repositories. “Entities” means anything that can contain files – a whole repository, a path within the repository, a specific package or a specific version. “Privileges” means “rw”  – download, upload and delete, or “r” – download only. If you didn’t notice, the combination of entities and privileges gives you any level of granularity that you need for providing access.

But how do you unlock entitlements?

I guess you get the hint. Keys unlock entitlements. You generate a key along with its password (or Bintray can generate one for you automatically). Your user will have to provide the username and password to enable the key that unlocks the entitlement. That’s where the security lies. Only users who have both the username and the password of the key that you provide to them can access your repository entities according to the entitlements you created.

So how does it all work?

Two simple steps using Bintray’s REST API:

  1. Create keys. You can supply a password for each key you create, or Bintray can generate one for you.

  2. Create entitlements. When you create entitlements, you specify which keys to apply to them.

Now all you need to do is provide your user with the username and password for one of those keys. Your user now applies a REST API to access your private Bintray resource while including the key and password you provided as parameters to the API call. Bintray will check if there is an entitlement that allows access to that resource, and if that entitlement has the key that the user specified associated with it.

Let’s see an example at work

Let’s say user “ACMECorp” has a private repository called “acme”.

This private repo contains several versions of acprod under the “acmecorprod” directory that are protected from public access.

ACMECorp wants to authorize a “platinum customer” to download the different versions. Needless to say, “Ms. Platinum” does not have a Bintray account.

First, ACMECorp needs to create a key. Bintray offers two ways to maintain control over keys that are distributed to outside users. The easy way is to just put an expiry date on the key. A more advanced method is to set up an internal server that is used to validate and authenticate keys, and provide the server URL to Bintray when a key is created. Every time a user tries to access ACMECorp’s repositories, Bintray will validate the key using  the URL that ACMECorp provided when creating it. Since ACMECorp is very careful with its key, let’s assume they want to validate keys with their own systems:

curl -XPOST -uacmecorp:APIKEY “https://api.bintray.com/users/acmecorp/download_keys
{
“id”: “key1″,
“expiry”: 7956915742000
“existence_check”:{
      “url”: “http://callbacks.myci.org/username=:username,password=:password”,
      “cache_for_secs”: 60
      }
}

Bintray creates a key and its associated password

Status: 201 Created
{
"username": "key1@acmecorp",
"password": "8fdf84d2a814783f0fc2ce869b5e7f6ce9f286a0"
}

ACMECorp now creates an entitlement that provides download privileges to the acmecorprod directory, while assigning key1 that was just created

curl -XPOST -uacmecorp:APIKEY "https://api.bintray.com/packages/acmecorp/acme/acprod/entitlements
{
"access": "r",
"download_keys": ["key1"]
}

Bintray responds:

Status: 201 Created
{
"id": "7f8d57b16c1046e38062ea3db91838ff77758eca",
"access": "r",
"download_keys": ["key1"]
}

Basically, that’s it. ACMECorp can now just provide the username “key1@acmecorp” and its password to Ms. Platinum who can now use them to access the acmecorprod directory in ACMECorp’s repository.

For example, to download version 1.0 of acprod, Ms. Platinum would use:

curl -XGET “https://dl.bintray.com/acmecorp/acme/acmecorprod/1.0/acprod.exe” -ukey1@acmecorp -p”8fdf84d2a814783f0fc2ce869b5e7f6ce9f286a0”

But what happens now if ACMECorp and Ms. Platinum have a falling out. When that happens, ACMECorp can just delete the download key from their validation server and “Hey presto”, Ms. Platinum is now locked out of ACMECorp’s repositories.

Try doing that on Docker Hub, RubyGems.org, NuGet Gallery, Maven Central or any other repository or download center out there. Bintray is the only one that provides you with this level of control over access to your private resources.

Enjoy Bintray and use it as pain-free gateway to Maven Central

What does it means when some tool or framework has literally dozens of guides, pages long each?maven central dinosaur
It probably means that it is popular, or complicated to use. Usually, both.

That’s the story of Maven Central (a.k.a. Central Repository, a.k.a. repo1, a.k.a. ibiblio). Of course, there is a better alternative nowadays – Bintray is already a super-set of Maven Central, both in terms of UI, UX and content, but Maven Central is still “hardwired” into the super-popular Maven 2. As such, it is being used by many – by Maven users of course, but also by Ivy, and even by Gradle users (those not familiar with Bintray’s ‘jcenter()’ repo yet). That means that you (still) want your package to also end up  there.

But getting it there is painful… *Very* painful.

Maven Central #fail

Click to enjoy the comments 😛

To understand how painful, next time you take a break, here’s a nice old-school text quest.

So, you get the picture. There has to be a better way. Indeed there is. Why don’t you use a proper distribution platform, with easy and intuitive on-boarding, publishing and sharing, with rich near real-time statistics, downloadable logs, packages inclusion, watching and sharing abilities, and much more. You know, Bintray.

Here’s the deal:

First, some simple one-time setup needed to be done.

  1. Register to Bintray and set up auto-signing: Generate yourself a keypair, if you don’t have one. Add it to your profile, and setup your default Maven repo (or a new one) for signing with your GPG key: Bintray can then sign your jars automatically.
  2. Add your Sonatype account under “accounts”. If you don’t have one, follow this procedure (yeah, we know what you are saying when you see it, that’s the last “wtf” in this guide, we promise).
  3. Create and link your package: Import from a GitHub repo or create a new package for your Maven project (multi-module projects can map to a single package). Click on “Add to JCenter” to get your package linked to the largest Java Maven repository on the planet.
  4. Set up Maven up to deploy to Bintray by copy-pasting the pom.xml snippets from “Set me up!” guide, or use the bintray-gradle-plugin.

Now, for each release, it’s easy as 1-2-3:

  1. Deploy: Deploy files to Bintray by running your build tool*.
  2. Publish: Review the build artifacts in Bintray and publish the version files if satisfied. Don’t forget to advertise your new release using a single-click tweet.
  3. Sync: On the version page go to the Maven Central tab (the one with the dinosaur icon on it), enter your Sonatype password and click “Sync” and you’re done! Your package is now in https://oss.sonatype.org/content/repositories/releases and will be synced to Maven Central (and they usually take their time). In case of a sync problem, Bintray will automatically take care of any needed cleanup.

Next, you’ll probably feel the urge to to tweet something like this:

Don’t resist it. You are joining spring, netty, jenkins, joda-time, asciidoctor and many many others that already feel the same way.


* Remember: distribution platform is not for SNAPSHOT-s. Stay tuned for our post about oss.jfrog.org to see how you can get access to a free binary repository with one-click promotion to Bintray.

Hot on Bintray: Package Merging

We have recently introduced package merging: several packages from the same repository can now be merged into one. This is extremely useful when you have existing packages that are not aligned properly. For example, when you have many small technical packages (modules) that are logically one, single package, often using the same version scheme. Such situations are extremely common with maven packages that were created to reflect existing group IDs and that are effectively part of a single package (a common situation for packages imported to JCenter).

This is how it works:

Package Merging

(1) From the package you wish to merge the other packages into, click the new Merge button.
(BTW, have you noticed our new tabs UI? ;-))

(2) Once clicked, select the other packages to merge into the package you have just selected.
The merge page contains two sections: On the left side, a list for filtering, finding and selecting candidate packages in the same repo for merging.  On the right side, the  package that is the merge target – all other selected packages will be merged into it. Note that the default is the name of the package you have selected in step #1, but you can change this name.

How to Merge Packages?

(3) Click Merge to have the files and versions of all the selected packages merged. Note that your files will be laid-out in the repository exactly as they were before the merge – but you can now manage them and all your versions under a new, consolidated logical package.

Knock yourself out! 🙂

Stay in Context, See the World

New release, new features!

Focus on what’s important

You know, Bintray supports various repository types, like Maven, YUM and Debs, and more types to come. But sometimes all those goodies are just too much. You want to see and search for only certain type of packages (e.g. focus only on Maven jars to use Bintray as Maven repository). Now you can scope the whole Bintray experience to a single repository type:
select context

And woot! You are in the Java world, completely. Nothing but your beloved jars:
maven context
The selection is persistent, and you can always clear it by clicking the x on the filter button.

See where your fans are

I know I usually write too much, so this one will be image only:
map

Nuff said.

Happy publishing!