How to disable maven blocking external HTTP repositories?

Question

Maven blocks external HTTP repositories by default since version 3.8.1 (see https://maven.apache.org/docs/3.8.1/release-notes.html)

Is there a way to disable that or to exempt a repository from this rule?

Are you in a corporate environment? If so configure a `*` and redirect to your internal repository manager? — khmarbaise, Apr 08 '21 at 11:40
@khmarbaise I found a solution (see my answer), where I explicitly configure a mirror for each blocked repository. With your solution, using a wildcard for `mirrorOf`, I could not distinguish between repositories, e.g. one for each snapshot and release. Or could I? — Sebu, Apr 08 '21 at 11:58
You can. See https://help.sonatype.com/repomanager3/formats/maven-repositories (settings.xml file)...The mirrorOf helps me to prevent to change something if I find a new repo... maintenance ... all request are redirected to repository manager which blocks already everything...Also I would never put a `settings.xml` in `.mvn` better use a config file provider plugin (Jenkins) to handle that incl. credentials.... Never allow repos being defined in a pom file... — khmarbaise, Apr 08 '21 at 12:09
@khmarbaise I see your point. I agree, this would be a better configuration. However, my situation is different and I need to work with what I've got. I have 20 projects, and in each pom file, the repositories are defined. And since the maven update to 3.8.1, all the builds fail, because the repositores are HTTP, not HTTPS. I use JFrog Artifactory as repo manager — Sebu, Apr 08 '21 at 13:54
This is a basic issue. You should change those pom files and clean them up... anything else is wrong...there are very good reason not to put any repo in a pom file..and use you repo manager it does not matter which one..the setup is more or less the same... — khmarbaise, Apr 08 '21 at 13:59
@khmarbaise I got it, I will try to reconfigure my repo manager and remove the repositories from the pom files. This will probably resolve my issue. But my question in this thread still holds, independent of the repo manager, and I wonder if its possible to disable this new behaviour — Sebu, Apr 08 '21 at 14:05
@khmarbaise but I can't change other projects' POM files, can I? I get transitive dependencies from maven central that do not resolve. It was super stupid to do that and not even try https:// in place of http:// first. — alamar, Apr 26 '21 at 11:11

Sebu · Accepted Answer · 2022-07-25T07:44:11.143

203

I found a solution to do this by inspecting the commit in the Maven git repository that is responsible for the default HTTP blocking: https://github.com/apache/maven/commit/907d53ad3264718f66ff15e1363d76b07dd0c05f

My solution is as follows:

In the Maven settings (located in ${maven.home}/conf/settings.xml or ${user.home}/.m2/settings.xml), the following entry must be removed:

<mirror>
  <id>maven-default-http-blocker</id>
  <mirrorOf>external:http:*</mirrorOf>
  <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
  <url>http://0.0.0.0/</url>
</mirror>

If you work in a project and cannot make sure the Maven settings are always like that, e.g. because you share code with other people or want to use CI/CD with automated testing, you may do the following: Add a directory named .mvn in the project. In the .mvn directory, add a file named maven.config with the content --settings ./.mvn/local-settings.xml. In the .mvn directory, add a file named local-settings.xml. This file should look like this:

<settings xmlns="http://maven.apache.org/SETTINGS/1.2.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 http://maven.apache.org/xsd/settings-1.2.0.xsd">
    <mirrors>
        <mirror>
            <id>my-repository-http-unblocker</id>
            <mirrorOf>my-blocked-http-repository</mirrorOf>
            <name></name>
            <url>http://........</url>
        </mirror>
    </mirrors>
</settings>

Where inside the <mirrorOf> tag, you need to specify the id of the blocked repository, and in the <url> tag, you specify the original url of the repository again. You need to create this unblocker mirror for every repository you have that is blocked.

Example:

If you have the following HTTP repositories defined in the pom.xml:

<repositories>
    <repository>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
        <id>central</id>
        <name>libs-release</name>
        <url>http://my-url/libs-release</url>
    </repository>
    <repository>
        <id>snapshots</id>
        <name>libs-snapshot</name>
        <url>http://my-url/libs-snapshot</url>
    </repository>
</repositories>

Then you need in the .mvn/local-settings.xml:

<settings>
    <mirrors>
        <mirror>
            <id>release-http-unblocker</id>
            <mirrorOf>central</mirrorOf>
            <name></name>
            <url>http://my-url/libs-release</url>
        </mirror>
        <mirror>
            <id>snapshot-http-unblocker</id>
            <mirrorOf>snapshots</mirrorOf>
            <name></name>
            <url>http://my-url/libs-snapshot</url>
        </mirror>
    </mirrors>
</settings>

I hope my work can help other people who stumble upon this. However, if you have a more elegant or better solution, please share!

edited Jul 25 '22 at 07:44

answered Apr 08 '21 at 11:16

Sebu

4,671
5
16
29

Is it possibile to unblock all blocked repos by a wildcard? – Antonio Petricca Jun 03 '21 at 10:27
@AntonioPetricca in my tests, it did not work. – Sebu Jun 07 '21 at 10:15
6

I don't know why nobody said that but your repository id should match with mirrorOf value, then it will work – Boris Mitioglov Jun 21 '21 at 18:13
@BorisMitioglov My answer says: "inside the tag, you need to specify what repository is blocked" – Sebu Jul 15 '21 at 13:42
1

@Sebu repositories also have name except id, mirrorOf requires Id not a name, but thanks for the answer, maybe it's just me having troubles with that – Boris Mitioglov Jul 21 '21 at 02:43
1

@BorisMitioglov I updated my answer to include your note. Thanks for pointing it out, I guess it was not that clear. – Sebu Jul 21 '21 at 07:58
2

One more option is to override the `` block in `~/.m2/settings.xml`. This does not require modifying the maven installation, and is still applied globally (not per-project). This file can also be deployed to your CI infrastructure more easily than a modified maven install (and it applies to all copies of maven on the machine) – Akom Aug 13 '21 at 17:25
2

For NetBeans 13 users with a standard Windows install, this is in C:\Program Files\NetBeans-13\netbeans\java\maven\conf – user998303 Mar 08 '22 at 02:00
1

@Sebu Could you edit your example to make it clear that is inside ? – Tim Baverstock Jul 21 '22 at 08:26
Thanks Yours!! For me it worked well! deleted Mirror, and also, I had to configure the correct version of maven in my Intellij IDE! – ukaliko Dec 31 '22 at 16:10
Maven settings (settings.xml) are always local. If you're creating a pseudo-settings file which is not actually local, I strongly recommend *not* to call it local-settings.xml. "project-settings.xml" would be much less confusing. – Philippe Cloutier Mar 07 '23 at 22:44
I'm not sure if that makes sense and if that will ever happen, but for what it's worth, [ticket MNG-5659](https://issues.apache.org/jira/browse/MNG-5659) requests Maven to support project-specific settings files. – Philippe Cloutier Mar 10 '23 at 17:23
@Akom What? Where? How? Documentation/manual available? Sounds legit! I want it. https://maven.apache.org/guides/mini/guide-mirror-settings.html This site makes no mention of "block". Are you saying to put the same changes as suggested, but instead place them in the user's configuration folder? I assume that's what you're saying. – activedecay Mar 20 '23 at 20:32

score 144 · Answer 2 · edited Dec 06 '21 at 11:14

144

In my case, I just added a dummy mirror with the id maven-default-http-blocker to override the existing one. This disable HTTP blocking for all repositories.

<settings xmlns="http://maven.apache.org/SETTINGS/1.2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 http://maven.apache.org/xsd/settings-1.2.0.xsd">
     <mirrors>
          <mirror>
               <id>maven-default-http-blocker</id>
               <mirrorOf>dummy</mirrorOf>
               <name>Dummy mirror to override default blocking mirror that blocks http</name>
               <url>http://0.0.0.0/</url>
         </mirror>
    </mirrors>
</settings>

edited Dec 06 '21 at 11:14

Rajat

2,467
2
29
38

answered Jul 15 '21 at 13:05

Nicolas

1,566
1
10
8

1

I recommend to remove the "true" so that older maven versions do not complain because they do not know the blocked tag. – Stefan Feuerhahn Aug 30 '21 at 16:17
We are using a s3 repository wagong, that was also blocked by that new http blocker – user85155 Dec 09 '21 at 09:50
1

Using maven Maven 3.8,6 you *must* specify blocked `false`. WIthout it it still complained about non-https repository. Once added `false` to the mirror it worked. – Antoine Dahan Sep 23 '22 at 21:23
please specify where does this xml piece should go – Stepan Yakovenko Jul 18 '23 at 03:36
This should go in `~/.m2/settings.xml ` – Nicolas Jul 20 '23 at 12:36

score 44 · Answer 3 · edited Jun 02 '23 at 02:04

44

Another possible solution/workaround is to override the new default http-blocking behavior by commenting out the maven-default-http-blocker mirror in the <mirrors> section of the maven's 'main' settings.xml file (under /opt/maven/conf in my case):

<!--mirror>
  <id>maven-default-http-blocker</id>
  <mirrorOf>external:http:*</mirrorOf>
  <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
  <url>http://0.0.0.0/</url>
  <blocked>false</blocked>
</mirror-->

P.S. Whether unblocking all the insecure http repositories is a good idea is a whole other story.

edited Jun 02 '23 at 02:04

Pang

9,564
146
81
122

answered Apr 28 '21 at 07:04

muthuh

619
7
14

2

Best answer ever! – Bogdan Mart Sep 28 '21 at 12:41
1

Works like charm.. Thanks – Shreehari Nov 17 '21 at 05:10
It works for me, thx! This should be the correct answer (tried others do not work, only this method works). – saycchai Nov 24 '22 at 01:22
I'm on windows, where is the file? – Stepan Yakovenko Jul 18 '23 at 03:36

score 18 · Answer 4 · edited Dec 06 '21 at 11:17

18

You should just add a mirror to your http repository that allows http in your maven settings. You shouldn't eliminate the default maven behavior for all repositories. Then tell your devops team to use https!

in .m2/settings.xml:

<mirrors>
        <mirror>
            <id>my-repo-mirror</id>
            <name>My Repo HTTP Mirror</name>
            <url>http://url-to.my/repo</url>
            <mirrorOf>my-repo</mirrorOf>
        </mirror>
</mirrors>

edited Dec 06 '21 at 11:17

Rajat

2,467
2
29
38

answered Apr 28 '21 at 17:54

Galen Howlett

530
4
12

3

I'm not sure why my answer was edited to remove `false` since the issue is specifically with maven 3.8.1+ once they started requiring https, where the blocked tag is definitely available. oh well – Galen Howlett Dec 07 '21 at 13:02
`false` is no longer required. – Ojonugwa Jude Ochalifu Jul 14 '22 at 17:07

score 17 · Answer 5 · edited Jun 02 '23 at 02:03

In macOS Monterey, and using IntelliJ Ultimate 2021.3 (and up), with maven NOT INSTALLED in the system and using maven as a plugin inside IntelliJ, I found the "settings.xml" file in the path:

${user.home}/Library/Application Support/JetBrains/Toolbox/apps/IDEA-U/ch-0/213.5744.223/IntelliJ IDEA.app/Contents/plugins/maven/lib/maven3/conf/settings.xml

Note: the above path is when the IntelliJ is installed using the JetBrains Toolbox App, and the version number indicated (213.5744.223) can defer if you have another version, verify when travelling the path to the file.

Open the "settings.xml" file with your favourite editor, and comment the next lines:

<!--<mirror>
  <id>maven-default-http-blocker</id>
  <mirrorOf>external:http:*</mirrorOf>
  <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
  <url>http://0.0.0.0/</url>
  <blocked>true</blocked>
</mirror>-->

Hope it helped.

Thanks, I had this issue with maven manually installed but it turns out IntelliJ was still using its internally installed copy of maven. — flodin, Aug 12 '22 at 11:39

score 7 · Answer 6 · answered Apr 21 '22 at 09:30

7

I solved the issue by simply replacing "http" with "https" in .xml file (in my case pom.xml). This solved my error.

answered Apr 21 '22 at 09:30

Hassan Shahzad

455
6
14

2

But the question is how to unblock HTTP URLs. – seenukarthi Apr 21 '22 at 09:34
Yeah its a difficult approach as many people like me did not know that alternative solutions exist. So my solution was solved using the above mentioned trick that i further explained too. – Hassan Shahzad Apr 22 '22 at 06:12

score 6 · Answer 7 · answered May 03 '22 at 15:36

Same problem with macOS Monterey 12.3.1 and IntelliJ 2022.1 using bundled maven (3.8.1). The solution is similar to the one proposed by MrBitwise but the settings file has a different path (it is the one embedded inside the app contents folder):

/Applications/IntelliJ\ IDEA\ CE.app/Contents/plugins/maven/lib/maven3/conf/settings.xml

Then I commented the following code:

<mirror>
    <id>maven-default-http-blocker</id>
    <mirrorOf>external:http:*</mirrorOf>
    <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
    <url>http://0.0.0.0/</url>
    <blocked>true</blocked>
</mirror>

score 5 · Answer 8 · answered Jan 20 '22 at 19:51

Unblock a Specific HTTP Repository

To unblock a specific repository, you may define a dummy mirror of it in your settings by adding a <mirror> with the same url, and its <mirrorOf> value matching your repository's id. Nothing else needs to change for this to work.

For example:
If your repo id is team-internal-repo, then a mirror added to your ~/.m2/settings.xml might look like this:

<settings>
...
    <!-- Add a mirror. -->
    <mirrors>
        <mirror>
            <id>team-internal-repo-mirror</id>
            <mirrorOf>team-internal-repo</mirrorOf> <!-- Must match repository id. -->
            <name>Dummy mirror to unblock the team repo server</name>
            <url>http://insecure-internal-server/repository/team-repo/</url>
           <!-- <blocked>false</blocked> --> <!-- This is not needed, the mirror is unblocked by default. -->
        </mirror>
    </mirrors>

    <!-- Existing profile does not need to change. -->
    <profiles>
        <profile>
            <id>default_profile</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
            <repositories>
                <repository>
                    <id>team-internal-repo</id>
                    <name>Dev Team Internal Artifacts</name>
                    <url>http://insecure-internal-server/repository/team-repo/</url>
                    <snapshots>
                        <enabled>true</enabled>
                    </snapshots>
                </repository>
            </repositories>
...
        </profile>
    </profiles>
</settings>

The <blocked> tag is not needed here. Other users have commented that the tag breaks older versions of maven. I tested an http repo with and without this tag and it worked both ways. (Tested using maven 3.8.2.)

Unblocking one or more explicit repos is better than universally unblocking all http repositories. Doing that may be a bad idea:

It presents a greater security risk. There's a reason apache made this change, and it is discussed in the release notes referenced by OP: https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291
Modifying the internal configuration of your Maven installation (i.e. the settings file in /opt/apache-maven-3.8.1 instead of your own in ~/.m2) could create a headache when updating or reinstalling future releases of maven. If that file gets overridden, your repo might suddenly be blocked again.

score 2 · Answer 9 · answered Aug 31 '21 at 17:17

You could follow the official recommendation from the Maven documentation, it is explained in the same link that you shared: https://maven.apache.org/docs/3.8.1/release-notes.html#how-to-fix-when-i-get-a-http-repository-blocked

Options to fix are:

upgrade the dependency version to a newer version that replaced the obsolete HTTP repository URL with a HTTPS one,

keep the dependency version but define a mirror in your settings.

It includes a link to Maven - Guide to Mirror Settings

As others mentioned, you should not override the default security settings.

score 2 · Answer 10 · edited Apr 19 '22 at 06:32

Sometimes, when your local version of settings.xml is low and your maven version is higher than that, then removing this configuration cannot solve the problem:

<mirrors>
<mirror>
    <id>my-repository-http-unblocker</id>
    <mirrorOf>my-blocked-http-repository</mirrorOf>
    <name></name>
    <url>http://........</url>
</mirror>

Maybe see if adding <blocked>false</blocked> will solve the problem:

<mirrors>
    <mirror>
        <id>my-repository-http-unblocker</id>
        <mirrorOf>my-blocked-http-repository</mirrorOf>
        <name></name>
        <url>http://your blocked url</url>
         <blocked>false</blocked>
    </mirror>
</mirrors>

score 1 · Answer 11 · answered Jun 15 '22 at 23:04

For your local environment, the quickest way is to set the blocked value from true to false in your .m2\settings.xml

  <id>maven-default-http-blocker</id>
  <mirrorOf>external:http:*</mirrorOf>
  <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
  <url>http://0.0.0.0/</url>
  <blocked>false</blocked>
</mirror>

score 1 · Answer 12 · answered Jun 21 '22 at 07:02

I was able to compile by commenting the code: /Applications/IntelliJ\ IDEA.app/Contents/plugins/maven/lib/maven3/conf/settings.xml

    <!--<mirror>
   <id>maven-default-http-blocker</id>
   <mirrorOf>external:http:*</mirrorOf>
   <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
   <url>http://0.0.0.0/</url>
   <blocked>false</blocked>
 </mirror>-->

Pude compilar comentando el codigo dentro de la ruta /Applications/IntelliJ\ IDEA.app/Contents/plugins/maven/lib/maven3/conf/settings.xml

score 1 · Answer 13 · answered Sep 10 '22 at 16:54

1

Use the latest versions of your dependencies and plugins. I had the same issue with libraries from 'com.sun.xml.ws', but changing their versions from 3.8.3 to 4.0.0 fixed it.

answered Sep 10 '22 at 16:54

Monika Valkova

11
3

This saved me some time, thanks! – Vlad L Sep 23 '22 at 01:21

score 1 · Answer 14 · answered Sep 15 '22 at 07:00

Unblock a password protected HTTP repository

I didn't like to modify the global settings.xml of IntelliJ (probably requires fix again after every update), and the method unblocking all http-repos didn't work for me - I guess because our HTTP-repo is password protected.

What worked for me finally was a mirror entry that exactly fits the original repo:

Same ID as the repo.
Same URL as the repo (it's just a fake mirror)
mirrorOf also has that same ID.
blocked set to false of course.

Thus the mirror mirrors exactly the HTTP repo and nothing else - you need a mirror for each HTTP repo. But since the mirror has the same ID as the Repo, the authentication settings in the "server" section that refers to that repo also fits to the mirror and allows access.

 <mirror>
        <id>repoId</id><!-- Must fit to serverID!!! (can be same as repoID) -->
        <name>My Mirror</name>
        <!-- URL of the mirror - in our case just the same as the repo itself. -->
        <url>http://mvn-host/content/repositories/myrepo/</url>
        <mirrorOf>repoId</mirrorOf><!-- Mirrors exactly the repo itself -->
        <blocked>false</blocked><!-- Unblock http access - only works in mirrors, and that's why we need a mirror. -->
    </mirror>

The key to all this is that the mirror needs a server entry if it is protected.

Kamalashree Sundar · Answer 15 · 2021-08-18T10:46:57.883

If you are using maven version 3.8 or greater HTTP is not supported. Try to use a lower version or upgrade the repo to HTTPS For more information please refer https://help.mulesoft.com/s/article/Maven-error-when-building-application-Blocked-Mirror-for-repositories#:~:text=Upgrade%20the%20Maven%20repository%20so,of%20the%20obsolete%20HTTP%20one.&text=Define%20a%20mirror%20in%20your%20settings.&text=Define%20an%20exception%20for%20a%20specific%20repository.&text=The%20false%3C%2F,be%20used%20as%20an%20exception.

score 0 · Answer 16 · answered Oct 25 '21 at 11:17

A bit different solution that has helped me, is more related to our corporate environment and involves the fact that we are slowly moving out of maven to another dep/build tool, but there is still a 'corporate' settings.xml file defined.

So just rename it to a different file (instead of deleting), like mv settings.xml settings-backup.xml, and returning maven again would help you to check if it's the issue.

japzio · Answer 17 · 2022-03-07T01:05:03.593

I encountered this issue when I installed a new version of maven. Fixed this by renaming .m2 directory to whatever or like .m2-old then run maven again. it will recreate the directory, the drawback is it will redownload all jar since the new .m2 is empty. Then just transfer your settings.xml to that new .m2 directory.

I've yet to test if copy the repository directory from the old .m2 to the new one will just work fine.

Update : copying the repository directory from ~/.m2-old to the new ~/.m2 didnt cause any errors when running maven afterwards

score 0 · Answer 18 · answered Jan 19 '23 at 10:33

You can use a Maven wrapper to help you with the problem, the version below 3.8.1 work well with it.

To create a Maven wrapper do

mvn -N io.takari:maven:0.7.7:wrapper -Dmaven=3.6.1

After this settings --> build, Execution, Deployment --> build tools --> Maven

Select the Maven Home Path to *Use Maven Wrapper*

Go back to your project and from the Maven Settings

This solved my issue, hope it will help you too.

score 0 · Answer 19 · answered Feb 28 '23 at 10:56

Comment out maven-default-http-blocker in $MAVEN_HOME/conf/settings.xml

    <!--
    <mirror>
      <id>maven-default-http-blocker</id>
      <mirrorOf>external:http:*</mirrorOf>
      <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
      <url>http://0.0.0.0/</url>
      <blocked>true</blocked>
    </mirror>
    -->

MAVEN_HOME can be find by run mvn -version

score 0 · Answer 20 · answered Mar 09 '23 at 16:12

For those following the answer from Sebu. If someone else is getting Unable to parse maven.config file options: Unrecognized option: --settings ./.mvn/settings.xml just add a newline after the settings flag. Should look like this:

--settings 
./.mvn/settings.xml

score 0 · Answer 21 · answered Mar 16 '23 at 14:56

On my environment there was no settings.xml file on the .m2 folder. Therefore I created a settings.xml file in ./m2 folder as follows and added the required urls.

<settings>
  <mirrors>
    <mirror>
      <id>allow-http</id>
      <mirrorOf>external:http:*</mirrorOf>
      <url>http://**url1**</url>
      <blocked>false</blocked>
    </mirror>
    <mirror>
      <id>allow-http</id>
      <mirrorOf>external:http:*</mirrorOf>
      <url>http://maven.wso2.org/nexus/content/repositories/releases/</url>
      <blocked>false</blocked>
    </mirror>
    <mirror>
      <id>allow-http</id>
      <mirrorOf>external:http:*</mirrorOf>
      <url>http://**url2**</url>
      <blocked>false</blocked>
    </mirror>
  </mirrors>
</settings>

score -1 · Answer 22 · edited Mar 29 '23 at 07:13

-1

If facing this issue in IDE, change the Maven home path in maven settings to "Use Maven Mapper". This solved the problem for me.

[ enter image description here

edited Mar 29 '23 at 07:13

michaldo

4,195
1
39
65

answered Mar 21 '23 at 10:15

Pankaj gupta

1
1

How to disable maven blocking external HTTP repositories?

22 Answers22

Unblock a Specific HTTP Repository

Unblock a password protected HTTP repository

Linked