What is the correct way of forcing maven to use HTTPS for maven central?

Question

Recently sonatype enabled maven central to support https (background information). I've now added the following snippet to my pom.xml to force using https everywhere:

<!-- force https -->
<repositories>
    <repository>
        <id>central</id>
        <url>https://repo1.maven.org/maven2</url>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </repository>
</repositories>
<pluginRepositories>
    <pluginRepository>
        <id>central</id>
        <url>https://repo1.maven.org/maven2</url>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </pluginRepository>
</pluginRepositories>

Questions:

Is this sufficient? Or will there be still http involved somewhere?
Is this the correct way of doing it? As I've read that I should do this in the settings.xml instead. But then others using my (open source) project won't use the secure connection.

Update

It does not look sufficient as for e.g. the assembly plugin still HTTP is used:

[INFO] --- maven-assembly-plugin:2.4:single (make-assembly) @ graphhopper-web ---
Downloading: http://repo.maven.apache.org/maven2/org/slf4j/slf4j-jdk14/1.5.6/slf4j-jdk14-1.5.6.jar

Might I ask why you are doing this? Surely you wouldn't be contributing to open source projects while you're supposed to be *working*, while being afraid your employer might inspect the packets, would you? Nothing to hide, nothing to fear, buddy! — corazza, Aug 19 '14 at 21:33
Don't understand your question. This is to protect the users of my project from man-in-the-middle attacks. — Karussell, Aug 19 '14 at 21:34
I was genuinely curious while exactly you were doing this, thanks for the answer that makes sense. The ~~...~~ thing is a ~~arcastic remark about unencrypted traffic and potentially nosy employers, HTTPS is good for that too :)~~ — corazza, Aug 19 '14 at 21:36
i use central https://repo1.maven.org/maven2 false and my problem solve mvn work and continue to download from https thanks — Vishal Monga, Jan 28 '20 at 10:35
Additionally I had to modify eclipse, Maven / User Settings [Eclipse](https://i.stack.imgur.com/48Dyd.png) — Juan Gomez, May 14 '20 at 14:31

score 48 · Answer 1 · edited Dec 30 '22 at 07:40

You don't have to place it into all POMs one by one. I'd rather suggest to add the following code into MAVEN_HOME\conf\settings.xml into <profiles> section:

<profile>
    <id>maven-https</id>
    <activation>
        <activeByDefault>true</activeByDefault>
    </activation>
    <repositories>
        <repository>
            <id>central</id>
            <url>https://repo1.maven.org/maven2</url>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
        </repository>
    </repositories>
    <pluginRepositories>
        <pluginRepository>
            <id>central</id>
            <url>https://repo1.maven.org/maven2</url>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
        </pluginRepository>
    </pluginRepositories> 
</profile>

This will be always an active setting unless you disable/override it in your POM when needed.

Karussell · Accepted Answer · 2014-08-26T16:36:10.030

32

This is already fixed in latest maven 3.2.3! See the changelogs!

So install maven 3.2.3 and do 'rm -rf ~/.m2/repository/*' for a better feeling ;)

edited Aug 26 '14 at 16:36

answered Aug 20 '14 at 18:10

Karussell

17,085
16
97
197

7

I'm not getting which better feeling the removal of the local cache `~/.m2/repository` is going to bring. – Kalle Richter Nov 08 '17 at 14:47
1

If you downloaded any compromised jar – Karussell May 14 '20 at 18:01

score 16 · Answer 3 · answered Aug 19 '14 at 21:40

16

You can do the following to force maven use single repo:

<settings>
  ...
  <mirrors>
    <mirror>
      <id>internal-repository</id>
      <name>Maven Repository Manager running on https://repo1.maven.org/maven2</name>
      <url>https://repo1.maven.org/maven2</url>
      <mirrorOf>*</mirrorOf>
    </mirror>
  </mirrors>
  ...
</settings>

You can find more info here.

And also you can use authentication to the repo if you like, the info is here.

answered Aug 19 '14 at 21:40

As I stated already in the question: but then others would have to setup this in their settings.xml as well. That would be ugly I think. Or is this possible in the pom.xml too? – Karussell Aug 19 '14 at 21:54
settings and/or mirros is not accepted in pom.xml, or where do I have to put it there? – Karussell Aug 19 '14 at 21:58
yeah you are right its not possible, but a chance that you upload the settings file to svn, and everybody else would have it – Aug 19 '14 at 22:00
they would have it but they would need to place it correctly. maven was invented for ease setup so that is not an option for me. – Karussell Aug 19 '14 at 22:02
they would only need to update their svn, nothing more – Aug 19 '14 at 22:05
1

First i would suggest to start using a repository manager like Nexus, Artifactory or Archiva and configure such things at a central location . Furthermore the settings.xml is the only location where such things should be configured and never within pom file. – khmarbaise Aug 20 '14 at 07:05
1

That is all to complex, not for me of course, but for users trying my open source project. – Karussell Aug 20 '14 at 18:00

Nizam Mahammad · Answer 4 · 2020-01-28T06:12:16.453

6

Add below code in your pom.xml file and no need to remove local cache, It's works like a charm

<distributionManagement>
       <repository>
          <id>Central Maven repository</id>
          <name>Central Maven repository https</name>
          <url>https://repo.maven.apache.org/maven2</url>
       </repository>
    </distributionManagement>

Maven update with terminal

mvn -U clean install

edited Jan 28 '20 at 06:12

answered Jan 24 '20 at 13:39

Nizam Mahammad

126
1
4

1

There is no need to run with -U option. – ScanQR Jul 21 '20 at 13:02
@ScanQR, It's update the maven dependencies – Nizam Mahammad Jun 10 '21 at 08:01
1

@NizamMahammad `-U` is short for `--update-snapshots – Forces a check for updated releases and snapshots on remote repositories`. As long as you don't purge `~/.m2/repository/` before, releases and snapshots are not going to be updated, since they are already there. Only snapshot versions that do not exist in the local repo are downloaded. `-U` just overrides the "[**updatePolicy:** This element specifies how often updates should attempt to occur. \[...\] , `daily` (default), \[...\]](https://maven.apache.org/settings.html#Repositories)". ...cont'd... – Gerold Broser Sep 15 '21 at 23:34
...cont'd... @NizamMahammad I'm not 100 % sure about the following: "_check for updated releases_" could refer to what never ever should be done anyway: deploying a different (updated) artifact with the same release version. Many remote repo managers don't allow that by default but can be configured to allow such. – Gerold Broser Sep 15 '21 at 23:42

score 2 · Answer 5 · answered May 23 '20 at 10:06

I was also getting the same issue and tried all the possible ways by changing the proxies mapping but nothing works, finally i got the solution by adding the below code in setting.xml file in .m2 folder resolve the problem.

Note: Working fine for me without enable the proxy in setting.xml.

<settings>
<mirrors>
    <mirror>
        <id>internal-repository</id>
        <name>Maven Repository Manager running on https://repo1.maven.org/maven2</name>
        <url>https://repo1.maven.org/maven2</url>
        <mirrorOf>*</mirrorOf>
    </mirror>
</mirrors>

score 2 · Answer 6 · answered Jun 06 '20 at 09:38

2

Based on @Karussell, instead of deleting the whole local repository, you can fix it by deleting a specific package.

Install/Update maven to latest version (>= 3.2.3)
Go to your local repository directory (~/.m2/repository)
Delete all packages under org.apache.maven: rm -rf ~/.m2/repository/org/apache/maven/*

By doing above steps, you will need to re-download some maven's packages, but doesn't need to re-download the whole packages.

answered Jun 06 '20 at 09:38

Chaerun

129
1
3

Fantastic. This is the best solution with the least impact overhead, imo. Thanks. – BKaun Jan 11 '22 at 16:52

score 2 · Answer 7 · answered Sep 15 '21 at 23:03

This question was asked in a recent question. Since NetBeans was not specifically covered in existing answers here, I am adding the following.

Short Answer

Upgrade Maven. The URLs you need to use (with the https protocol) will be provided in a suitably recent version of Maven. This is the simplest solution for older installations of NetBeans.

Details

For NetBeans 8.2, which uses version 3.0.5 as its bundled Maven version, you can upgrade Maven to at least version 3.2.3 (or later).

Check the Current Version

You can check which version of Maven is being used by NetBeans as follows:

In the main menu, go to Tools > Options.
Select the Java icon, and then the Maven tab below it.

Install an Upgraded Version

Download and install Maven - for example, from here:

https://maven.apache.org/download.cgi

The installation instructions are here:

https://maven.apache.org/install.html

Update NetBeans

Go back to the location in NetBeans shown in the above screenshot.

Click on the Maven Home drop-down and select "browse...". Navigate to the location where you installed the new version of Maven - for example:

E:\apache-maven-3.8.2-bin\apache-maven-3.8.2

You should now see the new version reflected in NetBeans.

Click OK.

Finally, re-try the failed build command.

NetBeans part was very helpful! – Marshal Dec 17 '21 at 22:06 — Marshal, Dec 17 '21 at 22:06

score 0 · Answer 8 · answered May 20 '20 at 10:10

0

for resolve this error you can add new Repository as https://repo.maven.apache.org/maven2/

answered May 20 '20 at 10:10

Muhammad Faisal

54
1
5

What is the correct way of forcing maven to use HTTPS for maven central?

8 Answers8

Linked