Maven blocks external HTTP repositories by default since version 3.8.1 (see https://maven.apache.org/docs/3.8.1/release-notes.html)
Is there a way to disable that or to exempt a repository from this rule?
I found a solution to do this by inspecting the commit in the Maven git repository that is responsible for the default HTTP blocking: https://github.com/apache/maven/commit/907d53ad3264718f66ff15e1363d76b07dd0c05f
My solution is as follows:
In the Maven settings (located in ${maven.home}/conf/settings.xml or ${user.home}/.m2/settings.xml), the following entry must be removed:
<mirror>
<id>maven-default-http-blocker</id>
<mirrorOf>external:http:*</mirrorOf>
<name>Pseudo repository to mirror external repositories initially using HTTP.</name>
<url>http://0.0.0.0/</url>
</mirror>
If you work in a project and cannot make sure the Maven settings are always like that, e.g. because you share code with other people or want to use CI/CD with automated testing, you may do the following: Add a directory named .mvn in the project. In the .mvn directory, add a file named maven.config with the content --settings ./.mvn/local-settings.xml. In the .mvn directory, add a file named local-settings.xml. This file should look like this:
<settings xmlns="http://maven.apache.org/SETTINGS/1.2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 http://maven.apache.org/xsd/settings-1.2.0.xsd">
<mirrors>
<mirror>
<id>my-repository-http-unblocker</id>
<mirrorOf>my-blocked-http-repository</mirrorOf>
<name></name>
<url>http://........</url>
</mirror>
</mirrors>
</settings>
Where inside the <mirrorOf> tag, you need to specify the id of the blocked repository, and in the <url> tag, you specify the original url of the repository again. You need to create this unblocker mirror for every repository you have that is blocked.
Example:
If you have the following HTTP repositories defined in the pom.xml:
<repositories>
<repository>
<snapshots>
<enabled>false</enabled>
</snapshots>
<id>central</id>
<name>libs-release</name>
<url>http://my-url/libs-release</url>
</repository>
<repository>
<id>snapshots</id>
<name>libs-snapshot</name>
<url>http://my-url/libs-snapshot</url>
</repository>
</repositories>
Then you need in the .mvn/local-settings.xml:
<settings>
<mirrors>
<mirror>
<id>release-http-unblocker</id>
<mirrorOf>central</mirrorOf>
<name></name>
<url>http://my-url/libs-release</url>
</mirror>
<mirror>
<id>snapshot-http-unblocker</id>
<mirrorOf>snapshots</mirrorOf>
<name></name>
<url>http://my-url/libs-snapshot</url>
</mirror>
</mirrors>
</settings>
I hope my work can help other people who stumble upon this. However, if you have a more elegant or better solution, please share!
In my case, I just added a dummy mirror with the id maven-default-http-blocker to override the existing one. This disable HTTP blocking for all repositories.
<settings xmlns="http://maven.apache.org/SETTINGS/1.2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 http://maven.apache.org/xsd/settings-1.2.0.xsd">
<mirrors>
<mirror>
<id>maven-default-http-blocker</id>
<mirrorOf>dummy</mirrorOf>
<name>Dummy mirror to override default blocking mirror that blocks http</name>
<url>http://0.0.0.0/</url>
</mirror>
</mirrors>
</settings>
Another possible solution/workaround is to override the new default http-blocking behavior by commenting out the maven-default-http-blocker mirror in the <mirrors> section of the maven's 'main' settings.xml file (under /opt/maven/conf in my case);
<!--mirror>
<id>maven-default-http-blocker</id>
<mirrorOf>external:http:*</mirrorOf>
<name>Pseudo repository to mirror external repositories initially using HTTP.</name>
<url>http://0.0.0.0/</url>
<blocked>false</blocked>
</mirror-->
P.S. Whether unblocking all the insucure http repositories is a good idea is a whole other story.
You should just add a mirror to your http repository that allows http in your maven settings. You shouldn't eliminate the default maven behavior for all repositories. Then tell your devops team to use https!
in .m2/settings.xml:
<mirrors>
<mirror>
<id>my-repo-mirror</id>
<name>My Repo HTTP Mirror</name>
<url>http://url-to.my/repo</url>
<mirrorOf>my-repo</mirrorOf>
</mirror>
</mirrors>
In macOS Monterey, and using Intellij Ultimate 2021.3 (and up), with maven NOT INSTALLED in the system and using maven as a plugin inside Intellij, i found the "settings.xml" file in the path:
${user.home}/Library/Application Support/JetBrains/Toolbox/apps/IDEA-U/ch-0/213.5744.223/IntelliJ IDEA.app/Contents/plugins/maven/lib/maven3/conf/settings.xml
Note: the above path is when the Intellij is installed using the Jetbrains Toolbox App, and the version number indicated (213.5744.223) can defer if you have another version, verify when travelling the path to the file.
Open the "settings.xml" file with your favourite editor, and comment the next lines:
<!--<mirror>
<id>maven-default-http-blocker</id>
<mirrorOf>external:http:*</mirrorOf>
<name>Pseudo repository to mirror external repositories initially using HTTP.</name>
<url>http://0.0.0.0/</url>
<blocked>true</blocked>
</mirror>-->
Hope it helped.
I solved the issue by simply replacing "http" with "https" in .xml file (in my case pom.xml).
This solved my error.
Unblock a Specific HTTP Repository
To unblock a specific repository, you may define a dummy mirror of it in your settings by adding a <mirror> with the same url, and its <mirrorOf> value matching your repository's id. Nothing else needs to change for this to work.
For example:
If your repo id is team-internal-repo, then a mirror added to your ~/.m2/settings.xml might look like this:
<settings>
...
<!-- Add a mirror. -->
<mirrors>
<mirror>
<id>team-internal-repo-mirror</id>
<mirrorOf>team-internal-repo</mirrorOf> <!-- Must match repository id. -->
<name>Dummy mirror to unblock the team repo server</name>
<url>http://insecure-internal-server/repository/team-repo/</url>
<!-- <blocked>false</blocked> --> <!-- This is not needed, the mirror is unblocked by default. -->
</mirror>
</mirrors>
<!-- Existing profile does not need to change. -->
<profiles>
<profile>
<id>default_profile</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<repositories>
<repository>
<id>team-internal-repo</id>
<name>Dev Team Internal Artifacts</name>
<url>http://insecure-internal-server/repository/team-repo/</url>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
</repositories>
...
</profile>
</profiles>
</settings>
The <blocked> tag is not needed here. Other users have commented that the tag breaks older versions of maven. I tested an http repo with and without this tag and it worked both ways. (Tested using maven 3.8.2.)
Unblocking one or more explicit repos is better than universally unblocking all http repositories. Doing that may be a bad idea:
It presents a greater security risk. There's a reason apache made this change, and it is discussed in the release notes referenced by OP: https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291
Modifying the internal configuration of your Maven installation (i.e. the settings file in /opt/apache-maven-3.8.1 instead of your own in ~/.m2) could create a headache when updating or reinstalling future releases of maven. If that file gets overridden, your repo might suddenly be blocked again.
Same problem with macOS Monterey 12.3.1 and IntelliJ 2022.1 using bundled maven (3.8.1). The solution is similar to the one proposed by MrBitwise but the settings file has a different path (it is the one embedded inside the app contents folder):
/Applications/IntelliJ\ IDEA\ CE.app/Contents/plugins/maven/lib/maven3/conf/settings.xml
Then I commented the following code:
<mirror>
<id>maven-default-http-blocker</id>
<mirrorOf>external:http:*</mirrorOf>
<name>Pseudo repository to mirror external repositories initially using HTTP.</name>
<url>http://0.0.0.0/</url>
<blocked>true</blocked>
</mirror>
You could follow the official recommendation from the Maven documentation, it is explained in the same link that you shared: https://maven.apache.org/docs/3.8.1/release-notes.html#how-to-fix-when-i-get-a-http-repository-blocked
Options to fix are:
upgrade the dependency version to a newer version that replaced the
obsolete HTTP repository URL with a HTTPS one,
keep the dependency version but define a mirror in your settings.
It includes a link to Maven - Guide to Mirror Settings
As others mentioned, you should not override the default security settings.
Sometimes, when your local version of settings.xml is low and your maven version is higher than that, then removing this configuration cannot solve the problem:
<mirrors>
<mirror>
<id>my-repository-http-unblocker</id>
<mirrorOf>my-blocked-http-repository</mirrorOf>
<name></name>
<url>http://........</url>
</mirror>
Maybe see if adding <blocked>false</blocked> will solve the problem:
<mirrors>
<mirror>
<id>my-repository-http-unblocker</id>
<mirrorOf>my-blocked-http-repository</mirrorOf>
<name></name>
<url>http://your blocked url</url>
<blocked>false</blocked>
</mirror>
</mirrors>
Use the latest versions of your dependencies and plugins. I had the same issue with libraries from 'com.sun.xml.ws', but changing their versions from 3.8.3 to 4.0.0 fixed it.
If you are using maven version 3.8 or greater HTTP is not supported. Try to use a lower version or upgrade the repo to HTTPS For more information please refer
https://help.mulesoft.com/s/article/Maven-error-when-building-application-Blocked-Mirror-for-repositories#:~:text=Upgrade%20the%20Maven%20repository%20so,of%20the%20obsolete%20HTTP%20one.&text=Define%20a%20mirror%20in%20your%20settings.&text=Define%20an%20exception%20for%20a%20specific%20repository.&text=The%20false%3C%2F,be%20used%20as%20an%20exception.
A bit different solution that has helped me, is more related to our corporate environment and involves the fact that we are slowly moving out of maven to another dep/build tool, but there is still a 'corporate' settings.xml file defined.
So just rename it to a different file (instead of deleting), like mv settings.xml settings-backup.xml, and returning maven again would help you to check if it's the issue.
I encountered this issue when I installed a new version of maven. Fixed this by renaming .m2 directory to whatever or like .m2-old then run maven again. it will recreate the directory, the drawback is it will redownload all jar since the new .m2 is empty. Then just transfer your settings.xml to that new .m2 directory.
I've yet to test if copy the repository directory from the old .m2 to the new one will just work fine.
Update : copying the repository directory from ~/.m2-old to the new ~/.m2 didnt cause any errors when running maven afterwards
For your local environment, the quickest way is to set the blocked value from true to false in your .m2\settings.xml
<id>maven-default-http-blocker</id>
<mirrorOf>external:http:*</mirrorOf>
<name>Pseudo repository to mirror external repositories initially using HTTP.</name>
<url>http://0.0.0.0/</url>
<blocked>false</blocked>
</mirror>
I was able to compile by commenting the code:
/Applications/IntelliJ\ IDEA.app/Contents/plugins/maven/lib/maven3/conf/settings.xml
<!--<mirror>
<id>maven-default-http-blocker</id>
<mirrorOf>external:http:*</mirrorOf>
<name>Pseudo repository to mirror external repositories initially using HTTP.</name>
<url>http://0.0.0.0/</url>
<blocked>false</blocked>
</mirror>-->
Pude compilar comentando el codigo dentro de la ruta
/Applications/IntelliJ\ IDEA.app/Contents/plugins/maven/lib/maven3/conf/settings.xml
Unblock a password protected HTTP repository
I didn't like to modify the global settings.xml of IntelliJ (probably requires fix again after every update), and the method unblocking all http-repos didn't work for me - I guess because our HTTP-repo is password protected.
What worked for me finally was a mirror entry that exactly fits the original repo:
Same ID as the repo.
Same URL as the repo (it's just a fake mirror)
mirrorOf also has that same ID.
blocked set to false of course.
Thus the mirror mirrors exactly the HTTP repo and nothing else - you need a mirror for each HTTP repo. But since the mirror has the same ID as the Repo, the authentication settings in the "server" section that refers to that repo also fits to the mirror and allows access.
<mirror>
<id>repoId</id><!-- Must fit to serverID!!! (can be same as repoID) -->
<name>My Mirror</name>
<!-- URL of the mirror - in our case just the same as the repo itself. -->
<url>http://mvn-host/content/repositories/myrepo/</url>
<mirrorOf>repoId</mirrorOf><!-- Mirrors exactly the repo itself -->
<blocked>false</blocked><!-- Unblock http access - only works in mirrors, and that's why we need a mirror. -->
</mirror>
The key to all this is that the mirror needs a server entry if it is protected.
You can use a Maven wrapper to help you with the problem, the version below 3.8.1 work well with it.
To create a Maven wrapper do
mvn -N io.takari:maven:0.7.7:wrapper -Dmaven=3.6.1
After this settings --> build, Execution, Deployment --> build tools --> Maven
Select the Maven Home Path to *Use Maven Wrapper*
Go back to your project and from the Maven Settings
This solved my issue, hope it will help you too.
In our project we need to setup a repository in a remote machine and I need to point to that repository. I have tried changing settings.xml.
But that didn't work. Then I added repository directly in pom.
This works. But still I am seeing the artifacts are downloaded from central repository. When I checked the effective pom, I am seeing that central repository is been mentioned along with mentioned internal repository
I dont need artifacts to be downloaded from central repository. Instead I need to download from my remote repository. How can I achieve it. TIA :)
You can force Maven to use a single repository by having it mirror all repository requests. The repository must contain all of the desired artifacts, or be able to proxy the requests to other repositories. This setting is most useful when using an internal company repository with the Maven Repository Manager to proxy external requests.
To achieve this, set mirrorOf to *.
<settings>
...
<mirrors>
<mirror>
<id>internal-repository</id>
<name>Maven Repository Manager running on repo.mycompany.com</name>
<url>http://repo.mycompany.com/proxy</url>
<mirrorOf>*</mirrorOf>
</mirror>
</mirrors>
...
</settings>
more details here
Correct me if I'm wrong, but a Mirror is used to redirect all traffic to a specific repository URL and block everything else (including Maven central repo).
Now what if I have a Mirror to http://a.com:8081 and a repository to http://b.com:8081. Would the second URL ever get used? I assume the answer is a No. Can you have multiple Mirrors?
Correct me if I'm wrong, but a Mirror is used to redirect all traffic to a specific repository URL and block everything else (including Maven central repo).
This is not entirely correct. Artifacts are downloaded by Maven by searching them inside defined repositories. Those repositories are defined in project's POM or in the Maven settings. But, as specified in the Mirror documentation:
However, you may want to use an alternative mirror for a particular repository without changing the project files.
Let's take the example from the documentation and comment on it:
<mirrors>
<mirror>
<id>UK</id>
<name>UK Central</name>
<url>http://uk.maven.org/maven2</url>
<mirrorOf>central</mirrorOf>
</mirror>
</mirrors>
This defines a single mirror that will be used when Maven will want to fetch a dependency from the Maven Central Repository. Let's say you have 2 current repositories, which are Maven Central and a custom repo A. What happens is the following:
You are declaring a dependency to an artifact;
Maven will look for that dependency inside your defined repositories, so it will look for it inside the repository A and Maven Central;
Let's say it starts with A: it will hit the URL defined for that repository, like you would expect. Then let's say it wasn't found there;
It will then look inside Maven Central. However, Maven will notice that a mirror was configured for that repository. It will not hit Maven Central at repo1.maven.org. Instead, it will fetch it from uk.maven.org, which is the URL defined in the mirror configuration element.
As this example shows, a mirror only applies to certain repositories, which are defined with the <mirrorOf> configuration element. In the previous case, we had <mirrorOf>central</mirrorOf> which means "Mirror Maven Central". This element can have various values, and the documentation gives examples:
Examples:
* = everything
external:* = everything not on the localhost and not file based.
repo,repo1 = repo or repo1
*,!repo1 = everything except repo1:
Now what if I have a Mirror to http://a.com:8081 and a repository to http://b.com:8081. Would the second URL ever get used? I assume the answer is a No.
The above shows that the answer is not strictly no. The mirror to http://a.com:8081 will be used when Maven will try to fetch a dependency from one of the repository that it mirrors. If it indeed mirrors the repository to http://b.com:8081 then no requests will ever be made to http://b.com:8081 (they will be redirected to http://a.com:8081); but if it doesn't, Maven will continue to fetch dependencies from http://b.com:8081 like usual.
Can you have multiple Mirrors?
Yes, you can.
To answer your questions:
Correct me if I'm wrong, but a Mirror is used to redirect all traffic to a specific repository URL and block everything else (including Maven central repo).
Kind of right, but I would say all artifacts are redirected to the mirror.
The blocking doesn't happen because it's a mirror. The filtering or re-direction happens based on what is defined in the <mirrorOf> element.
The syntax <mirrofOf>*</mirrorOf> causes ALL repositories to be directed to that mirror. To use your words, the mirror blocks the other repository http://b.com:8081. (but I wouldn't use those words).
If, however, you defined the mirror pattern as:
<mirrofOf>*,!third-party-repo</mirrorOf>
then the mirror would handle all artifacts that were not found in the other repositories. So in this case (in your words), the mirror would not block access to the other repositories.
Now what if I have a Mirror to http://a.com:8081 and a repository to http://b.com:8081. Would the second URL ever get used? I assume the answer is a No.
This all depends on how you've defined your mirror and repositories as explained above, it is possible for them both to be used.
Can you have multiple Mirrors?
Yes. The maven docs explain how to do that here: https://maven.apache.org/guides/mini/guide-mirror-settings.html#advanced-mirror-specification
But I've never personally had the need to deal with multiple mirrors. Instead, I typically have one mirror and then one or more repos.
I'll explain that next.
Example using a mirror and two repos
In this example, I have:
One public mirror of Maven central (called acme-central) for my fictitious company Acme.
One repo for my companies locally developed artifacts (called acme-repo).
One repo for a 3rd party company third-party-repo that has some artifacts I needed (called third-party-repo).
The simplified syntax for all of this is shown below. I'm only showing the bits of the configuration that affect this example.
<settings>
<mirrors>
<mirror>
<mirrorOf>central,!acme-repo,!third-party-repo</mirrorOf>
<profiles>
<profile>
<id>default</id>
<repositories>
<repository>
<id>acme-repo</id>
<url>https://acme.com/repository/releases</url>
<repository>
<id>third-party-repo</id>
<url>https://third-party.com/repository/releases</url>
<activeProfiles>
<activeProfile>default</activeProfile>
So we have a mirror (of maven central), and two other repositories.
The mirror statement says to use the mirror instead of maven central, but not for the two repos acme-repo and third-party-repo.
The profile is required (just because that is the syntax of the settings.xml file). You can only define <repositories> within a profile.
The repositories have names, and the way artifacts are looked up is as follows (see Repository Order in Maven docs). What follows is simplified for this answer.
settings.xml file is used
pom.xml file is used
Before downloading from a repository, mirrors configuration is applied.
The maven docs show an example with two <mirror>s.
Running the command mvn help:effective-pom -Dverbose is a good way to see which repo/mirror was used to download an artifact because the syntax is:
Downloading from third-party-repo: https://third-party.com/...
Downloading from acme-repo: https://third-party.com/...
What is the difference between using
<mirrorOf>central</mirrorOf>
and
<mirrorOf>*</mirrorOf>
We have a Nexus server running proxied to the Maven public repository and using "*" instead of "central" downloads some artifiacts but not all.
Reading http://maven.apache.org/guides/mini/guide-mirror-settings.html does not suggest what could cause this ?
<mirrorOf>central</mirrorOf>
says if request comes to lookup for central maven repository look in its mirror instead
where
<mirrorOf>*</mirrorOf>
says for any request to download from any repository look in this mirrored repository
if you have second and if it is failing to download some artifacts it could be because you are not proxying certain repository in your own nexus repository
My organization uses maven for all our projects. Every time we create new maven project, the artifacts are downloaded from maven central repository. But i want to create organization level local repository where all the maven artifacts are available and when new maven project created should look for the artifact in local repository and if not found, then only look in the maven central repository. Can anyone let me know how to do this.
Thanks.
You should take a look at Sonatype Nexus repository manager. It can be used as a proxy to cache remote repositories. After Nexus has been set up, you will just have to edit your settings.xml and add something like this:
<mirrors>
<mirror>
<id>nexus-proxy</id>
<name>Nexus Proxy</name>
<url>http://nexus.example.com/nexus/content/groups/public</url>
<mirrorOf>central</mirrorOf>
</mirror>
</mirrors>
You could use Artifactory or a similar Repository Management tool