How to disable maven blocking external HTTP repositories?

Question

Maven blocks external HTTP repositories by default since version 3.8.1 (see https://maven.apache.org/docs/3.8.1/release-notes.html)

Is there a way to disable that or to exempt a repository from this rule?

Answer 1

I found a solution to do this by inspecting the commit in the Maven git repository that is responsible for the default HTTP blocking: https://github.com/apache/maven/commit/907d53ad3264718f66ff15e1363d76b07dd0c05f

My solution is as follows:

In the Maven settings (located in ${maven.home}/conf/settings.xml or ${user.home}/.m2/settings.xml), the following entry must be removed:

<mirror>
  <id>maven-default-http-blocker</id>
  <mirrorOf>external:http:*</mirrorOf>
  <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
  <url>http://0.0.0.0/</url>
</mirror>

If you work in a project and cannot make sure the Maven settings are always like that, e.g. because you share code with other people or want to use CI/CD with automated testing, you may do the following: Add a directory named .mvn in the project. In the .mvn directory, add a file named maven.config with the content --settings ./.mvn/local-settings.xml. In the .mvn directory, add a file named local-settings.xml. This file should look like this:

<settings xmlns="http://maven.apache.org/SETTINGS/1.2.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 http://maven.apache.org/xsd/settings-1.2.0.xsd">
    <mirrors>
        <mirror>
            <id>my-repository-http-unblocker</id>
            <mirrorOf>my-blocked-http-repository</mirrorOf>
            <name></name>
            <url>http://........</url>
        </mirror>
    </mirrors>
</settings>

Where inside the <mirrorOf> tag, you need to specify the id of the blocked repository, and in the <url> tag, you specify the original url of the repository again. You need to create this unblocker mirror for every repository you have that is blocked.

Example:

If you have the following HTTP repositories defined in the pom.xml:

<repositories>
    <repository>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
        <id>central</id>
        <name>libs-release</name>
        <url>http://my-url/libs-release</url>
    </repository>
    <repository>
        <id>snapshots</id>
        <name>libs-snapshot</name>
        <url>http://my-url/libs-snapshot</url>
    </repository>
</repositories>

Then you need in the .mvn/local-settings.xml:

<mirrors>
    <mirror>
        <id>release-http-unblocker</id>
        <mirrorOf>central</mirrorOf>
        <name></name>
        <url>http://my-url/libs-release</url>
    </mirror>
    <mirror>
        <id>snapshot-http-unblocker</id>
        <mirrorOf>snapshots</mirrorOf>
        <name></name>
        <url>http://my-url/libs-snapshot</url>
    </mirror>
</mirrors>

I hope my work can help other people who stumble upon this. However, if you have a more elegant or better solution, please share!

Answer 2

In my case, I just added a dummy mirror with the id maven-default-http-blocker to override the existing one. This disable HTTP blocking for all repositories.

<settings xmlns="http://maven.apache.org/SETTINGS/1.2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 http://maven.apache.org/xsd/settings-1.2.0.xsd">
     <mirrors>
          <mirror>
               <id>maven-default-http-blocker</id>
               <mirrorOf>dummy</mirrorOf>
               <name>Dummy mirror to override default blocking mirror that blocks http</name>
               <url>http://0.0.0.0/</url>
         </mirror>
    </mirrors>
</settings>

Answer 3

Another possible solution/workaround is to override the new default http-blocking behavior by commenting out the maven-default-http-blocker mirror in the <mirrors> section of the maven's 'main' settings.xml file (under /opt/maven/conf in my case);

<!--mirror>
  <id>maven-default-http-blocker</id>
  <mirrorOf>external:http:*</mirrorOf>
  <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
  <url>http://0.0.0.0/</url>
  <blocked>false</blocked>
</mirror-->

P.S. Whether it's a good idea to unblock all insecure http repositories is a whole other story.

Answer 4

You should just add a mirror to your http repository that allows http in your maven settings. You shouldn't eliminate the default maven behavior for all repositories. Then tell your devops team to use https!

in .m2/settings.xml:

<mirrors>
        <mirror>
            <id>my-repo-mirror</id>
            <name>My Repo HTTP Mirror</name>
            <url>http://url-to.my/repo</url>
            <mirrorOf>my-repo</mirrorOf>
        </mirror>
</mirrors>

Answer 5

In macOS Monterey, and using Intellij Ultimate 2021.3 (and up), with maven NOT INSTALLED in the system and using maven as a plugin inside Intellij, i found the "settings.xml" file in the path:

${user.home}/Library/Application Support/JetBrains/Toolbox/apps/IDEA-U/ch-0/213.5744.223/IntelliJ IDEA.app/Contents/plugins/maven/lib/maven3/conf/settings.xml

Note: the above path is when the Intellij is installed using the Jetbrains Toolbox App, and the version number indicated (213.5744.223) can defer if you have another version, verify when travelling the path to the file.

Open the "settings.xml" file with your favourite editor, and comment the next lines:

<!--<mirror>
  <id>maven-default-http-blocker</id>
  <mirrorOf>external:http:*</mirrorOf>
  <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
  <url>http://0.0.0.0/</url>
  <blocked>true</blocked>
</mirror>-->

Hope it helped.

Answer 6

Unblock a Specific HTTP Repository

To unblock a specific repository, you may define a dummy mirror of it in your settings by adding a <mirror> with the same url, and its <mirrorOf> value matching your repository's id. Nothing else needs to change for this to work.

For example:
If your repo id is team-internal-repo, then a mirror added to your ~/.m2/settings.xml might look like this:

<settings>
...
    <!-- Add a mirror. -->
    <mirrors>
        <mirror>
            <id>team-internal-repo-mirror</id>
            <mirrorOf>team-internal-repo</mirrorOf> <!-- Must match repository id. -->
            <name>Dummy mirror to unblock the team repo server</name>
            <url>http://insecure-internal-server/repository/team-repo/</url>
           <!-- <blocked>false</blocked> --> <!-- This is not needed, the mirror is unblocked by default. -->
        </mirror>
    </mirrors>

    <!-- Existing profile does not need to change. -->
    <profiles>
        <profile>
            <id>default_profile</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
            <repositories>
                <repository>
                    <id>team-internal-repo</id>
                    <name>Dev Team Internal Artifacts</name>
                    <url>http://insecure-internal-server/repository/team-repo/</url>
                    <snapshots>
                        <enabled>true</enabled>
                    </snapshots>
                </repository>
            </repositories>
...
        </profile>
    </profiles>
</settings>

The <blocked> tag is not needed here. Other users have commented that the tag breaks older versions of maven. I tested an http repo with and without this tag and it worked both ways. (Tested using maven 3.8.2.)

Unblocking one or more explicit repos is better than universally unblocking all http repositories. Doing that may be a bad idea:

• It presents a greater security risk. There's a reason apache made this change, and it is discussed in the release notes referenced by OP: https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291
• Modifying the internal configuration of your Maven installation (i.e. the settings file in /opt/apache-maven-3.8.1 instead of your own in ~/.m2) could create a headache when updating or reinstalling future releases of maven. If that file gets overridden, your repo might suddenly be blocked again.

Answer 7

You could follow the official recommendation from the Maven documentation, it is explained in the same link that you shared: https://maven.apache.org/docs/3.8.1/release-notes.html#how-to-fix-when-i-get-a-http-repository-blocked

Options to fix are:

• upgrade the dependency version to a newer version that replaced the obsolete HTTP repository URL with a HTTPS one,

• keep the dependency version but define a mirror in your settings.

It includes a link to Maven - Guide to Mirror Settings

As others mentioned, you should not override the default security settings.

Answer 8

Sometimes, when your local version of settings.xml is low and your maven version is higher than that, then removing this configuration cannot solve the problem:

<mirrors>
<mirror>
    <id>my-repository-http-unblocker</id>
    <mirrorOf>my-blocked-http-repository</mirrorOf>
    <name></name>
    <url>http://........</url>
</mirror>

Maybe see if adding <blocked>false</blocked> will solve the problem:

<mirrors>
    <mirror>
        <id>my-repository-http-unblocker</id>
        <mirrorOf>my-blocked-http-repository</mirrorOf>
        <name></name>
        <url>http://your blocked url</url>
         <blocked>false</blocked>
    </mirror>
</mirrors>

Answer 9

I solved the issue by simply replacing "http" with "https" in .xml file (in my case pom.xml). This solved my error.

Answer 10

Same problem with macOS Monterey 12.3.1 and IntelliJ 2022.1 using bundled maven (3.8.1). The solution is similar to the one proposed by MrBitwise but the settings file has a different path (it is the one embedded inside the app contents folder):

/Applications/IntelliJ\ IDEA\ CE.app/Contents/plugins/maven/lib/maven3/conf/settings.xml 

Then I commented the following code:

<mirror>
    <id>maven-default-http-blocker</id>
    <mirrorOf>external:http:*</mirrorOf>
    <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
    <url>http://0.0.0.0/</url>
    <blocked>true</blocked>
</mirror>

Answer 11

If you are using maven version 3.8 or greater HTTP is not supported. Try to use a lower version or upgrade the repo to HTTPS For more information please refer https://help.mulesoft.com/s/article/Maven-error-when-building-application-Blocked-Mirror-for-repositories#:~:text=Upgrade%20the%20Maven%20repository%20so,of%20the%20obsolete%20HTTP%20one.&text=Define%20a%20mirror%20in%20your%20settings.&text=Define%20an%20exception%20for%20a%20specific%20repository.&text=The%20false%3C%2F,be%20used%20as%20an%20exception.

Answer 12

A bit different solution that has helped me, is more related to our corporate environment and involves the fact that we are slowly moving out of maven to another dep/build tool, but there is still a 'corporate' settings.xml file defined.

So just rename it to a different file (instead of deleting), like mv settings.xml settings-backup.xml, and returning maven again would help you to check if it's the issue.

Answer 13

I encountered this issue when I installed a new version of maven. Fixed this by renaming .m2 directory to whatever or like .m2-old then run maven again. it will recreate the directory, the drawback is it will redownload all jar since the new .m2 is empty. Then just transfer your settings.xml to that new .m2 directory.

I've yet to test if copy the repository directory from the old .m2 to the new one will just work fine.

Update : copying the repository directory from ~/.m2-old to the new ~/.m2 didnt cause any errors when running maven afterwards