Maven HTTP Repository Blocking

Problem Overview

Since Maven 3.8.1, Apache Maven blocks external HTTP repositories by default as a security measure to protect against man-in-the-middle attacks. This change was implemented to address CVE-2021-26291, which highlighted vulnerabilities in HTTP repository connections.

When attempting to use HTTP repositories, you may encounter errors like:

"Blocked mirror for repositories"
"Repository [repository-id] was blocked"
"Failed to transfer artifact from HTTP repository"

Recommended Solutions

1. Use HTTPS Instead of HTTP

The most secure solution is to upgrade your repositories to use HTTPS:

xml

<!-- Before (problematic) -->
<repository>
    <id>my-repo</id>
    <url>http://example.com/repo</url>
</repository>

<!-- After (secure) -->
<repository>
    <id>my-repo</id>
    <url>https://example.com/repo</url>
</repository>

Best Practice

Always prefer HTTPS repositories when available. Contact your repository administrator to request HTTPS support.

2. Create a Mirror for Specific HTTP Repositories

For repositories that only support HTTP, create a mirror in your Maven settings:

xml

<settings>
    <mirrors>
        <mirror>
            <id>my-http-repo-mirror</id>
            <mirrorOf>your-repo-id</mirrorOf> <!-- Must match repository ID -->
            <name>Mirror for HTTP repository</name>
            <url>http://your-repository-url</url>
            <blocked>false</blocked>
        </mirror>
    </mirrors>
</settings>

WARNING

Replace your-repo-id with the actual repository ID from your pom.xml, and http://your-repository-url with your repository's URL.

3. Override the Default HTTP Blocker (Not Recommended)

If you must disable HTTP blocking entirely (not recommended for security reasons):

xml

<settings>
    <mirrors>
        <!-- Override the default HTTP blocker -->
        <mirror>
            <id>maven-default-http-blocker</id>
            <mirrorOf>dummy</mirrorOf> <!-- Doesn't mirror anything -->
            <name>Override default HTTP blocker</name>
            <url>http://0.0.0.0/</url>
        </mirror>
    </mirrors>
</settings>

Security Warning

Disabling HTTP blocking exposes you to man-in-the-middle attacks. Only use this as a temporary solution.

Location of Maven Settings

Maven settings files can be located in:

Global settings: $MAVEN_HOME/conf/settings.xml
User settings: ~/.m2/settings.xml
Project-specific settings: Create .mvn/local-settings.xml and reference it in .mvn/maven.config

Project-Specific Configuration

For team projects where you need consistent settings:

Create .mvn/local-settings.xml in your project root:

xml

<settings>
    <mirrors>
        <mirror>
            <id>project-repo-mirror</id>
            <mirrorOf>project-repo</mirrorOf>
            <url>http://your-repository-url</url>
            <blocked>false</blocked>
        </mirror>
    </mirrors>
</settings>

Create .mvn/maven.config:

--settings
./.mvn/local-settings.xml

IDE-Specific Considerations

IntelliJ IDEA

If using IntelliJ's bundled Maven, the settings file location varies:

${user.home}/Library/Application Support/JetBrains/Toolbox/apps/IDEA-U/[version]/IntelliJ IDEA.app/Contents/plugins/maven/lib/maven3/conf/settings.xml

INFO

The exact path depends on your IntelliJ version and installation method (Toolbox vs standalone).

Password-Protected Repositories

For HTTP repositories requiring authentication:

xml

<settings>
    <servers>
        <server>
            <id>your-repo-id</id>
            <username>your-username</username>
            <password>your-password</password>
        </server>
    </servers>
    <mirrors>
        <mirror>
            <id>your-repo-id</id> <!-- Must match server ID -->
            <mirrorOf>your-repo-id</mirrorOf>
            <url>http://your-repository-url</url>
            <blocked>false</blocked>
        </mirror>
    </mirrors>
</settings>

Security Considerations

While these solutions work, consider the security implications:

HTTP connections are vulnerable to interception
Sensitive data (credentials, artifacts) can be exposed
Migrating to HTTPS is the only truly secure solution
Temporary workarounds should be replaced with permanent HTTPS solutions

Troubleshooting

If solutions don't work:

Verify your Maven version with mvn -version
Check that settings file locations are correct
Ensure repository IDs match exactly between pom.xml and settings.xml
For IDE issues, try running Maven from command line first

Example of Complete Working Configuration

xml

<!-- pom.xml -->
<repositories>
    <repository>
        <id>my-http-repo</id>
        <name>My HTTP Repository</name>
        <url>http://example.com/repo</url>
    </repository>
</repositories>

<!-- settings.xml -->
<settings>
    <mirrors>
        <mirror>
            <id>my-http-repo</id>
            <mirrorOf>my-http-repo</mirrorOf>
            <name>HTTP Repository Mirror</name>
            <url>http://example.com/repo</url>
            <blocked>false</blocked>
        </mirror>
    </mirrors>
</settings>

Remember that the long-term solution should always be migrating to HTTPS repositories rather than maintaining HTTP workarounds.

Related Posts

Maven HTTP Repository Blocking ​

Problem Overview ​

Recommended Solutions ​

1. Use HTTPS Instead of HTTP ​

2. Create a Mirror for Specific HTTP Repositories ​

3. Override the Default HTTP Blocker (Not Recommended) ​

Location of Maven Settings ​

Project-Specific Configuration ​

IDE-Specific Considerations ​

IntelliJ IDEA ​

Password-Protected Repositories ​

Security Considerations ​

Troubleshooting ​