I need a HTTPS Maven repository URL for spring source to configure in my pom.xml:
Right now I use the following http urls: http://repository.springsource.com/maven/bundles/release http://repository.springsource.com/maven/bundles/external
Asked
Active
Viewed 687 times
1
-
So what's the problem with current URL you got? I'm not entirely sure there's a valid use case of using https to pull maven artifacts. But if you insist you can setup your own Nexus mirror and run it over https – gerrytan May 30 '13 at 06:29
-
Well, we would like to pull the maven artifacts over a secure HTTPs connection. So I was on the lookout for HTTPs URL for spring but couldnt find any. – ManKum May 30 '13 at 06:43
-
So you thing https is by definition secure? From a source in the internet ? Sounds like a contradiction. – khmarbaise May 30 '13 at 12:07
-
Did you see the answer below? Was it helpful? – Michael Jun 06 '13 at 10:03
2 Answers
0
Same links like you used just use HTTPS: https://repository.springsource.com/ https://repository.springsource.com/maven/bundles/release https://repository.springsource.com/maven/bundles/external
Added after the comment
You should import the following 3 certificates in the trust store and to configure Java to use it:
-
Thanks. I tried this already but getting the following exception `java.security.cert.CertificateException: No subject alternative DNS name matching repository.springsource.com found` - When trying to build using `mvn clean install`. I tried installing the certificates using Java `keystore` tool, after exporting certificates from firefox. It would be great if someone can shed light on this for me! – ManKum Jun 03 '13 at 02:45
-
As I previously told I tried importing them to truststore, but failed with the above error. It would be helpful if you could let me know the proper steps, right from exporting through firefox and then keystore commands to do it properly. – ManKum Jun 03 '13 at 04:26
-
[I found this answer!](http://www.coderanch.com/t/134384/Security/error-subject-alternative-names-secure) - But still I dont have a conclusive answer that works without writing any Java Code!! – ManKum Jun 03 '13 at 10:15
-
Look here how to configure truststore in Java http://stackoverflow.com/questions/6340918/trust-store-vs-key-store-creating-with-keytool an here how to import http://stackoverflow.com/questions/2774722/using-httpclient-with-ssl-and-certificates/2774815#2774815 – Michael Jun 04 '13 at 04:32
0
Another option to improve security is that you always verify the SHA-1 checksum after you have downloaded a dependency. Maven Central provides Spring artifacts for all released versions, as well as their corresponding SHA-1 checksums, e.g. spring-core:
spring-core-3.2.3.RELEASE.pom 230116bb23132569443ac0479c8ac7e33e9662e7
spring-core-3.2.3.RELEASE.jar accdd65db57e79e49f2af037bb76f5a55a580f00
On Ubuntu, you can use the sha1sum command:
sha1sum spring-core-3.2.3.RELEASE.jar
On Mac you can use the openssl sha1 command:
openssl sha1 spring-core-3.2.3.RELEASE.jar
-
if the data is compromised, couldn't you just compromise the checksum as well? – jtahlborn Jun 03 '13 at 03:42