Maven blocks external HTTP repositories by default since version 3.8.1 (see https://maven.apache.org/docs/3.8.1/release-notes.html)
Is there a way to disable that or to exempt a repository from this rule?
I found a solution to do this by inspecting the commit in the Maven git repository that is responsible for the default HTTP blocking: https://github.com/apache/maven/commit/907d53ad3264718f66ff15e1363d76b07dd0c05f
My solution is as follows:
In the Maven settings (located in ${maven.home}/conf/settings.xml or ${user.home}/.m2/settings.xml), the following entry must be removed:
<mirror>
<id>maven-default-http-blocker</id>
<mirrorOf>external:http:*</mirrorOf>
<name>Pseudo repository to mirror external repositories initially using HTTP.</name>
<url>http://0.0.0.0/</url>
</mirror>
If you work in a project and cannot make sure the Maven settings are always like that, e.g. because you share code with other people or want to use CI/CD with automated testing, you may do the following: Add a directory named .mvn in the project. In the .mvn directory, add a file named maven.config with the content --settings ./.mvn/local-settings.xml. In the .mvn directory, add a file named local-settings.xml. This file should look like this:
<settings xmlns="http://maven.apache.org/SETTINGS/1.2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 http://maven.apache.org/xsd/settings-1.2.0.xsd">
<mirrors>
<mirror>
<id>my-repository-http-unblocker</id>
<mirrorOf>my-blocked-http-repository</mirrorOf>
<name></name>
<url>http://........</url>
</mirror>
</mirrors>
</settings>
Where inside the <mirrorOf> tag, you need to specify the id of the blocked repository, and in the <url> tag, you specify the original url of the repository again. You need to create this unblocker mirror for every repository you have that is blocked.
Example:
If you have the following HTTP repositories defined in the pom.xml:
<repositories>
<repository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>central</id>
<name>libs-release</name>
<url>http://my-url/libs-release</url>
</repository>
<repository>
<id>snapshots</id>
<name>libs-snapshot</name>
<url>http://my-url/libs-snapshot</url>
</repository>
</repositories>
Then you need in the .mvn/local-settings.xml:
<settings>
<mirrors>
<mirror>
<id>release-http-unblocker</id>
<mirrorOf>central</mirrorOf>
<name></name>
<url>http://my-url/libs-release</url>
</mirror>
<mirror>
<id>snapshot-http-unblocker</id>
<mirrorOf>snapshots</mirrorOf>
<name></name>
<url>http://my-url/libs-snapshot</url>
</mirror>
</mirrors>
</settings>
I hope my work can help other people who stumble upon this. However, if you have a more elegant or better solution, please share!
In my case, I just added a dummy mirror with the id maven-default-http-blocker to override the existing one. This disable HTTP blocking for all repositories.
<settings xmlns="http://maven.apache.org/SETTINGS/1.2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 http://maven.apache.org/xsd/settings-1.2.0.xsd">
<mirrors>
<mirror>
<id>maven-default-http-blocker</id>
<mirrorOf>dummy</mirrorOf>
<name>Dummy mirror to override default blocking mirror that blocks http</name>
<url>http://0.0.0.0/</url>
</mirror>
</mirrors>
</settings>
Another possible solution/workaround is to override the new default http-blocking behavior by commenting out the maven-default-http-blocker mirror in the <mirrors> section of the maven's 'main' settings.xml file (under /opt/maven/conf in my case);
<!--mirror>
<id>maven-default-http-blocker</id>
<mirrorOf>external:http:*</mirrorOf>
<name>Pseudo repository to mirror external repositories initially using HTTP.</name>
<url>http://0.0.0.0/</url>
<blocked>false</blocked>
</mirror-->
P.S. Whether unblocking all the insucure http repositories is a good idea is a whole other story.
You should just add a mirror to your http repository that allows http in your maven settings. You shouldn't eliminate the default maven behavior for all repositories. Then tell your devops team to use https!
in .m2/settings.xml:
<mirrors>
<mirror>
<id>my-repo-mirror</id>
<name>My Repo HTTP Mirror</name>
<url>http://url-to.my/repo</url>
<mirrorOf>my-repo</mirrorOf>
</mirror>
</mirrors>
In macOS Monterey, and using Intellij Ultimate 2021.3 (and up), with maven NOT INSTALLED in the system and using maven as a plugin inside Intellij, i found the "settings.xml" file in the path:
${user.home}/Library/Application Support/JetBrains/Toolbox/apps/IDEA-U/ch-0/213.5744.223/IntelliJ IDEA.app/Contents/plugins/maven/lib/maven3/conf/settings.xml
Note: the above path is when the Intellij is installed using the Jetbrains Toolbox App, and the version number indicated (213.5744.223) can defer if you have another version, verify when travelling the path to the file.
Open the "settings.xml" file with your favourite editor, and comment the next lines:
<!--<mirror>
<id>maven-default-http-blocker</id>
<mirrorOf>external:http:*</mirrorOf>
<name>Pseudo repository to mirror external repositories initially using HTTP.</name>
<url>http://0.0.0.0/</url>
<blocked>true</blocked>
</mirror>-->
Hope it helped.
I solved the issue by simply replacing "http" with "https" in .xml file (in my case pom.xml).
This solved my error.
Unblock a Specific HTTP Repository
To unblock a specific repository, you may define a dummy mirror of it in your settings by adding a <mirror> with the same url, and its <mirrorOf> value matching your repository's id. Nothing else needs to change for this to work.
For example:
If your repo id is team-internal-repo, then a mirror added to your ~/.m2/settings.xml might look like this:
<settings>
...
<!-- Add a mirror. -->
<mirrors>
<mirror>
<id>team-internal-repo-mirror</id>
<mirrorOf>team-internal-repo</mirrorOf> <!-- Must match repository id. -->
<name>Dummy mirror to unblock the team repo server</name>
<url>http://insecure-internal-server/repository/team-repo/</url>
<!-- <blocked>false</blocked> --> <!-- This is not needed, the mirror is unblocked by default. -->
</mirror>
</mirrors>
<!-- Existing profile does not need to change. -->
<profiles>
<profile>
<id>default_profile</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<repositories>
<repository>
<id>team-internal-repo</id>
<name>Dev Team Internal Artifacts</name>
<url>http://insecure-internal-server/repository/team-repo/</url>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
</repositories>
...
</profile>
</profiles>
</settings>
The <blocked> tag is not needed here. Other users have commented that the tag breaks older versions of maven. I tested an http repo with and without this tag and it worked both ways. (Tested using maven 3.8.2.)
Unblocking one or more explicit repos is better than universally unblocking all http repositories. Doing that may be a bad idea:
It presents a greater security risk. There's a reason apache made this change, and it is discussed in the release notes referenced by OP: https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291
Modifying the internal configuration of your Maven installation (i.e. the settings file in /opt/apache-maven-3.8.1 instead of your own in ~/.m2) could create a headache when updating or reinstalling future releases of maven. If that file gets overridden, your repo might suddenly be blocked again.
Same problem with macOS Monterey 12.3.1 and IntelliJ 2022.1 using bundled maven (3.8.1). The solution is similar to the one proposed by MrBitwise but the settings file has a different path (it is the one embedded inside the app contents folder):
/Applications/IntelliJ\ IDEA\ CE.app/Contents/plugins/maven/lib/maven3/conf/settings.xml
Then I commented the following code:
<mirror>
<id>maven-default-http-blocker</id>
<mirrorOf>external:http:*</mirrorOf>
<name>Pseudo repository to mirror external repositories initially using HTTP.</name>
<url>http://0.0.0.0/</url>
<blocked>true</blocked>
</mirror>
You could follow the official recommendation from the Maven documentation, it is explained in the same link that you shared: https://maven.apache.org/docs/3.8.1/release-notes.html#how-to-fix-when-i-get-a-http-repository-blocked
Options to fix are:
upgrade the dependency version to a newer version that replaced the
obsolete HTTP repository URL with a HTTPS one,
keep the dependency version but define a mirror in your settings.
It includes a link to Maven - Guide to Mirror Settings
As others mentioned, you should not override the default security settings.
Sometimes, when your local version of settings.xml is low and your maven version is higher than that, then removing this configuration cannot solve the problem:
<mirrors>
<mirror>
<id>my-repository-http-unblocker</id>
<mirrorOf>my-blocked-http-repository</mirrorOf>
<name></name>
<url>http://........</url>
</mirror>
Maybe see if adding <blocked>false</blocked> will solve the problem:
<mirrors>
<mirror>
<id>my-repository-http-unblocker</id>
<mirrorOf>my-blocked-http-repository</mirrorOf>
<name></name>
<url>http://your blocked url</url>
<blocked>false</blocked>
</mirror>
</mirrors>
Use the latest versions of your dependencies and plugins. I had the same issue with libraries from 'com.sun.xml.ws', but changing their versions from 3.8.3 to 4.0.0 fixed it.
If you are using maven version 3.8 or greater HTTP is not supported. Try to use a lower version or upgrade the repo to HTTPS For more information please refer
https://help.mulesoft.com/s/article/Maven-error-when-building-application-Blocked-Mirror-for-repositories#:~:text=Upgrade%20the%20Maven%20repository%20so,of%20the%20obsolete%20HTTP%20one.&text=Define%20a%20mirror%20in%20your%20settings.&text=Define%20an%20exception%20for%20a%20specific%20repository.&text=The%20false%3C%2F,be%20used%20as%20an%20exception.
A bit different solution that has helped me, is more related to our corporate environment and involves the fact that we are slowly moving out of maven to another dep/build tool, but there is still a 'corporate' settings.xml file defined.
So just rename it to a different file (instead of deleting), like mv settings.xml settings-backup.xml, and returning maven again would help you to check if it's the issue.
I encountered this issue when I installed a new version of maven. Fixed this by renaming .m2 directory to whatever or like .m2-old then run maven again. it will recreate the directory, the drawback is it will redownload all jar since the new .m2 is empty. Then just transfer your settings.xml to that new .m2 directory.
I've yet to test if copy the repository directory from the old .m2 to the new one will just work fine.
Update : copying the repository directory from ~/.m2-old to the new ~/.m2 didnt cause any errors when running maven afterwards
For your local environment, the quickest way is to set the blocked value from true to false in your .m2\settings.xml
<id>maven-default-http-blocker</id>
<mirrorOf>external:http:*</mirrorOf>
<name>Pseudo repository to mirror external repositories initially using HTTP.</name>
<url>http://0.0.0.0/</url>
<blocked>false</blocked>
</mirror>
I was able to compile by commenting the code:
/Applications/IntelliJ\ IDEA.app/Contents/plugins/maven/lib/maven3/conf/settings.xml
<!--<mirror>
<id>maven-default-http-blocker</id>
<mirrorOf>external:http:*</mirrorOf>
<name>Pseudo repository to mirror external repositories initially using HTTP.</name>
<url>http://0.0.0.0/</url>
<blocked>false</blocked>
</mirror>-->
Pude compilar comentando el codigo dentro de la ruta
/Applications/IntelliJ\ IDEA.app/Contents/plugins/maven/lib/maven3/conf/settings.xml
Unblock a password protected HTTP repository
I didn't like to modify the global settings.xml of IntelliJ (probably requires fix again after every update), and the method unblocking all http-repos didn't work for me - I guess because our HTTP-repo is password protected.
What worked for me finally was a mirror entry that exactly fits the original repo:
Same ID as the repo.
Same URL as the repo (it's just a fake mirror)
mirrorOf also has that same ID.
blocked set to false of course.
Thus the mirror mirrors exactly the HTTP repo and nothing else - you need a mirror for each HTTP repo. But since the mirror has the same ID as the Repo, the authentication settings in the "server" section that refers to that repo also fits to the mirror and allows access.
<mirror>
<id>repoId</id><!-- Must fit to serverID!!! (can be same as repoID) -->
<name>My Mirror</name>
<!-- URL of the mirror - in our case just the same as the repo itself. -->
<url>http://mvn-host/content/repositories/myrepo/</url>
<mirrorOf>repoId</mirrorOf><!-- Mirrors exactly the repo itself -->
<blocked>false</blocked><!-- Unblock http access - only works in mirrors, and that's why we need a mirror. -->
</mirror>
The key to all this is that the mirror needs a server entry if it is protected.
You can use a Maven wrapper to help you with the problem, the version below 3.8.1 work well with it.
To create a Maven wrapper do
mvn -N io.takari:maven:0.7.7:wrapper -Dmaven=3.6.1
After this settings --> build, Execution, Deployment --> build tools --> Maven
Select the Maven Home Path to *Use Maven Wrapper*
Go back to your project and from the Maven Settings
This solved my issue, hope it will help you too.
At the moment, I need to specify the path of Nexus both in the settings.xml (for building with Maven) and in a parent pom (for deploying with Maven). Is there a way to put this information into just one place?
In your topmost POM, specify maven deploy plugin version 2.8 or above.
Then in your settings.xml specify
<profile>
<id>nexus</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<altSnapshotDeploymentRepository>id::layout::url</altSnapshotDeploymentRepository>
<altReleaseDeploymentRepository>id::layout::url</altReleaseDeploymentRepository>
...
where id is the same id as given in the (settings.xml) definition of your server (for credentials):
<server>
<id>id</id>
<username>usr</username>
<password>pass</password>
</server>
layout is default (except if you are using maven 1)
url is the place where you want to upload to (your remote repo).
This eliminates the need to specify the deployment repo inside the project's POM.
I've been asked to look at an old project that requires Maven 2.1 and a couple JARs that are not (and will not) stored in our Nexus.
I'm trying to follow the advice from #Nikita Volkov in this post about creating a project repo to hold the JARs as artifacts. The idea being I can check this repo into source control. I can then check it out on any machine and have it build without any special configuration.
To start with I've created a repo and added my first Jar to it by running:
mvn install:install-file -DlocalRepositoryPath=repo -DcreateChecksum=true -Dpackaging=jar -Dfile=lib/myJar.jar -DgroupId=my.group -DartifactId=myArtifact -Dversion=0.0.1
I then create POM that looks like:
<project>
<modelVersion>4.0.0</modelVersion>
<groupId>my.group</groupId>
<artifactId>MyApp</artifactId>
<packaging>ear</packaging>
<version>1.0-SNAPSHOT</version>
<repositories>
<repository>
<id>my-repo</id>
<url>file://${project.basedir}/repo</url>
</repository>
</repositories>
<dependencies>
<dependency>
<groupId>my.group</groupId>
<artifactId>myArtifact</artifactId>
<version>0.0.1</version>
</dependency>
</dependencies>
<build>
</build>
</project>
When I view this in Eclipse if flags the dependency with error
Missing artifact my.group:myArtifact:jar:0.0.1.
When I run it from the command line Iget the error
Unable to find resource 'my.group:myArtifact:pom:0.0.1' in repository my-repo
Clearly I've not understood something in the original post, but I don't see what
So, can anybody provide a working example of how to create a in-project Maven Repo?
Update
The files stored in my local repo are:
my/group/myArtifact/0.0.1/myArtifact-0.0.1.jar
my/group/myArtifact/0.0.1/myArtifact-0.0.1.jar.md5
my/group/myArtifact/0.0.1/myArtifact-0.0.1.jar.sha1
my/group/myArtifact/0.0.1/myArtifact-0.0.1.pom
my/group/myArtifact/0.0.1/myArtifact-0.0.1.pom.md5
my/group/myArtifact/0.0.1/myArtifact-0.0.1.pom.sha1
my/group/myArtifact/maven-metadata-local.xml
my/group/myArtifact/maven-metadata-local.xml.md5
my/group/myArtifact/maven-metadata-local.xml.sha1
Update
The contents of my .m2/settings file is:
<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
<mirrors>
<mirror>
<id>nexus</id>
<mirrorOf>*</mirrorOf>
<url>http://192.168.152.78:5000/nexus/content/groups/public/</url>
</mirror>
</mirrors>
</settings>
Working solution after several updates to the original question
Your settings.xml file declares a catch-all mirror. This takes effect over the local repository declaration in your pom file. Either remove the catch-all mirror, or try excluding the repository ID of your project repository from the mirroring:
<mirror>*,!my-repo</mirror>
Original answer
Looks like you install the library to the default local Maven repository location (~/.m2/repository), but then you try to pick it up from a location within your project.
Try changing the repository location for Maven before you run the "mvn install:install-file" goal. You can do this by adding a "localRepository" setting in your settings.xml.
You could also create a new settings.xml specifically for your project and tell Maven to use that whenever you work on your project (-s parameter on the command line). IDEs like Eclipse or IntelliJ also support using an alternative settings.xml file.
I am participating in two projects, both of which are using private maven repository (using nexus).
Since both of them are using their own 3rd party libraries, I want to set corresponding mirror for each project. Fortunately, I can freely edit project1's pom.xml.
Is there any way that I can inject some variables or settings so that my ~/.m2/settings.xml use mirror1 for project1, and mirror2 as default (for project2)?
Well.. I looked up many stackoverflow questions and answers, but I am a newbie in maven and I could not understand and adopt those answers in my project..
Unfortunately there is no way to support multiple mirror definitions within a single settings file.
You will need to create two maven settings files and then parameterize the maven build, e.g. mvn <cmd> -s <path/to/settings.xml>.
After maven 3.3.1, use the project-settings-extension to load the project settings, and put project specific mirrors into ${basedir}/.mvn/settings.xml in each project.
in ${basedir}/.mvn/extensions.xml
<extensions xmlns="http://maven.apache.org/EXTENSIONS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/EXTENSIONS/1.0.0 http://maven.apache.org/xsd/core-extensions-1.0.0.xsd">
<extension>
<groupId>com.github.gzm55.maven</groupId>
<artifactId>project-settings-extension</artifactId>
<version>0.2.4</version>
</extension>
</extensions>
in ${basedir}/.mvn/settings.xml
<settings>
<mirrors>
<mirror>
<id>id</id>
<url>https://url-for-this-project/</url>
<mirrorOf>central</mirrorOf>
</mirror>
</mirrors>
</settings>
In my maven ~./.m2/settings.xml I have defined a mirror and some repositories:
<mirrors>
<mirror>
<id>someid</id>
.....
</mirro>
</mirrors>
...
<profiles>
<profile>
<id>default</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<repositories>
<repository> <id>repo....</id>
....
</profile>
</profiles>
This works fine.
There are some projects where I want do disable the mirror and the default profile.
I know that i can define a seperate profile for the repositories, but i don't know how I can tell the maven eclipse plugin not to use the default profile or a specific profile.
Also: how can I change the mirror for a project?
Unfortunately this is impossible with single settings.xml. There is feature request in Maven JIRA, vote for this!
JIRA ticket MNG-3525
Pull Request to implement the feature
Workaround is to have two settings.xml and running maven with selected configuration:
mvn -s my-settings.xml
Copy the settings.xml file, remove the mirror entry and tell maven to use with the --settings file command line option.
Use XSLT or a command line tool like XMLStarlet to automate the process:
xmlstarlet ed -N 's=http://maven.apache.org/SETTINGS/1.0.0' --delete "//s:mirror" settings.xml
prints a new settings.xml file to stdout which doesn't contain any mirror settings.
Update: The XML namespace has recently changed. Make sure you use the same string as the one at the top of the file. Kudos to Roman Ivanov for pointing this out.
Multiple settings.xml is not necessary I think to do this.
It is possible to control mirrors using profiles.
I can use a property for my repository id for example a suffix ${repo-suffix}
$ mvn help:effective-pom | grep "<distributionManagement>" -A 3
<distributionManagement>
<repository>
<id>deployment${repo-suffix}</id>
<name>Internal Releases</name>
Then I can add repo-suffix to a profile for example to give it value -1.
<profile>
<id>my-profile</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<repo-suffix>-1</repo-suffix>
...
This way I now have a dynamically defined repository id in pom files.
$ mvn help:effective-pom | grep "<distributionManagement>" -A 3
<distributionManagement>
<repository>
<id>deployment-1</id>
<name>Internal Releases</name>
For these this deployment-1 repository I can define mirrors in my settings.xml. This is effectively the same as being able to put a mirror in a profile.
The entries in settings.xml applies to all the maven projects on the system and thus is not meant to be tailored for individual projects.
If you want different projects to have different profiles, then you should specify them in the project's pom. You need not have <profiles> section in your ~/m2/settings.xml.
As for <mirrors> they apply to repositories that you want to mirror. You can choose which repositories need to be mirrored, but not which projects should use the mirror and which should not. You can always run the project in offline mode, if you do not want it to download from a remote repository.