Maven HTTP Repository Blocking Fix

When upgrading to Maven 3.8.1 or later, you might encounter build failures with DependencyResolutionException errors mentioning "Blocked mirror for repositories" and references to HTTP URLs. This is a security feature introduced in newer Maven versions, not a bug in your configuration.

Problem: HTTP Repository Blocking in Maven 3.8.1+

Starting with Maven 3.8.1, the default configuration blocks all HTTP (non-secure) repository connections to protect against man-in-the-middle attacks. The error typically looks like:

[ERROR] Failed to execute goal on project MassBank2NIST: Could not resolve dependencies for project MassBank2NIST:MassBank2NIST:jar:0.0.2-SNAPSHOT: Failed to collect dependencies at edu.ucdavis.fiehnlab.splash:core:jar:1.8: Failed to read artifact descriptor for edu.ucdavis.fiehnlab.splash:core:jar:1.8: Could not transfer artifact edu.ucdavis.fiehnlab.splash:core:pom:1.8 from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [EBI (http://www.ebi.ac.uk/intact/maven/nexus/content/repositories/ebi-repo/, default, releases+snapshots), releases (http://gose.fiehnlab.ucdavis.edu:55000/content/groups/public, default, releases+snapshots)]

Recommended Solutions

1. Upgrade to HTTPS (Best Practice)

The most secure and recommended approach is to update your repository URLs to use HTTPS instead of HTTP. Check if your repositories support HTTPS and update your pom.xml:

Before - Insecure

<repository>
    <id>ebi-repo</id>
    <url>http://www.ebi.ac.uk/intact/maven/nexus/content/repositories/ebi-repo/</url>
</repository>

After - Secure

<repository>
    <id>ebi-repo</id>
    <url>https://www.ebi.ac.uk/intact/maven/nexus/content/repositories/ebi-repo/</url>
</repository>

2. Configure Maven to Allow HTTP Repositories

If HTTPS isn't available for a specific repository, you can configure Maven to allow HTTP connections:

Option A: Global settings (~/.m2/settings.xml)

<mirror>
  <id>insecure-ebi-repo</id>
  <mirrorOf>external:http:*</mirrorOf>
  <url>http://www.ebi.ac.uk/intact/maven/nexus/content/repositories/ebi-repo/</url>
  <blocked>false</blocked>
</mirror>

Option B: Project-specific settings

Create .mvn/custom-settings.xml in your project:

<settings xmlns="http://maven.apache.org/SETTINGS/1.2.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 http://maven.apache.org/xsd/settings-1.2.0.xsd">
    <mirrors>
        <mirror>
            <id>insecure-repo-mirror</id>
            <mirrorOf>external:http:*</mirrorOf>
            <url>http://www.ebi.ac.uk/intact/maven/nexus/content/repositories/ebi-repo/</url>
            <blocked>false</blocked>
        </mirror>
    </mirrors>
</settings>

Then create .mvn/maven.config:

--settings .mvn/custom-settings.xml

3. Remove the HTTP Blocker (Not Recommended)

You can remove the default HTTP blocker from Maven's configuration:

1. Navigate to ${MAVEN_HOME}/conf/settings.xml
2. Find and comment out or remove the maven-default-http-blocker mirror:

<!--
<mirror>
  <id>maven-default-http-blocker</id>
  <mirrorOf>external:http:*</mirrorOf>
  <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
  <url>http://0.0.0.0/</url>
</mirror>
-->

Security Risk

Disabling HTTP blocking reduces security by allowing potential man-in-the-middle attacks. Use this only as a temporary solution.

4. Downgrade Maven (Last Resort)

If other solutions aren't feasible, you can downgrade to Maven 3.6.3, which doesn't include the HTTP blocking feature:

# For Homebrew users
brew uninstall maven
brew install maven@3.6

Example: Fixing Specific Repository Issues

For common repositories that still use HTTP:

JasperSoft Repository:

<mirror>
  <id>jaspersoft-third-party-mirror</id>
  <mirrorOf>jaspersoft-third-party</mirrorOf>
  <url>http://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/</url>
  <blocked>false</blocked>
</mirror>

Java.net Repository:

<mirror>
  <id>releases-java-net-mirror</id>
  <mirrorOf>releases.java.net</mirrorOf>
  <url>http://maven.java.net/content/repositories/releases/</url>
  <blocked>false</blocked>
</mirror>

Best Practices

1. Prioritize HTTPS - Always use secure repositories when available
2. Update dependencies - Newer versions often switch to HTTPS repositories
3. Use project-specific settings - When team collaboration is needed
4. Document your changes - Explain why HTTP is necessary if used

TIP

Check if your dependency's newer versions have migrated to HTTPS repositories before implementing HTTP workarounds.

By following these approaches, you can resolve the Maven HTTP blocking issue while maintaining the appropriate level of security for your development environment.