Dev Solve

English

中文
日本語

English

中文
日本語

Appearance

Related Posts

Maven "invalid target release: 11" Error: Causes and Solutions

Spring Boot Maven Plugin Not Found

Lombok IllegalAccessError with Java 16+

java.lang.IllegalArgumentException: Malformed \uxxxx encoding

Mockito Java Agent Configuration for Future JDK Compatibility

Maven "Blocked mirror for repositories" Error

Problem Statement

The "Blocked mirror for repositories" error occurs in Maven when the build tool attempts to download dependencies from HTTP repositories. This security measure was introduced in Maven 3.8.1+ to protect against potential Man-in-the-Middle (MITM) attacks when downloading artifacts over insecure HTTP connections.

Maven now automatically blocks all external HTTP repositories by default through a built-in mirror configuration that redirects HTTP requests to a blocked endpoint.

Understanding the Security Change

Starting with Maven 3.8.1, the development team implemented a security feature to address CVE-2021-26291. Many Maven Central POMs contain references to custom repositories using HTTP URLs, which could make downloads vulnerable to interception. Since these POMs are immutable, the solution was to implement a default blocking mechanism at the Maven configuration level.

The default configuration includes a mirror that blocks all external HTTP repositories:

xml
<mirror>
  <id>maven-default-http-blocker</id>
  <mirrorOf>external:http:*</mirrorOf>
  <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
  <url>http://0.0.0.0/</url>
  <blocked>true</blocked>
</mirror>

1. Use HTTPS Repositories (Preferred Solution)

Whenever possible, switch to using HTTPS repositories. Many repositories now support HTTPS, making this the most secure approach.

xml
<repository>
  <id>primefaces.org</id>
  <name>PrimeFaces Maven Repository</name>
  <!-- Use HTTPS instead of HTTP -->
  <url>https://repository.primefaces.org</url>
</repository>

TIP

Check if your dependency repositories offer HTTPS endpoints before implementing workarounds.

2. Create Specific Mirrors for HTTP Repositories

If HTTPS is not available for a specific repository, create a targeted mirror that only affects that repository:

xml
<mirror>
  <id>eclipselink-mirror</id>
  <name>EclipseLink HTTP Mirror</name>
  <url>http://download.eclipse.org/rt/eclipselink/maven.repo/</url>
  <mirrorOf>eclipselink</mirrorOf>
</mirror>

WARNING

Only create mirrors for specific repositories you trust, not all HTTP repositories.

3. Override the Default Blocker with Exception

Add a more specific mirror rule that excludes your repository from the blocking mechanism:

xml
<mirror>
  <id>maven-default-http-blocker</id>
  <mirrorOf>!repositoryId,external:http:*</mirrorOf>
  <name>Pseudo repository to mirror external repositories initially using HTTP.</name>
  <url>http://0.0.0.0/</url>
  <blocked>true</blocked>
</mirror>

This configuration blocks all HTTP repositories except the one with the specified repositoryId.

4. Disable the Blocker for Specific Use Cases

If necessary, you can override the default blocker by redefining it with different parameters:

xml
<mirror>
  <id>maven-default-http-blocker</id>
  <url>http://127.0.0.1/dont-go-here</url>
  <mirrorOf>dummy</mirrorOf>
  <blocked>false</blocked>
</mirror>

Security Warning

Disabling the HTTP blocker reduces security. Only use this approach if absolutely necessary and with trusted repositories.

IDE-Specific Configuration

IntelliJ IDEA Users

Ensure Maven is using the correct settings.xml file:

  1. Go to Settings > Build, Execution, Deployment > Build Tools > Maven
  2. Verify the "User settings file" path points to your correct settings.xml
  3. Check the "Override" checkbox if using a custom location

Eclipse and Other IDEs

Most IDEs use the Maven installation's default settings. Ensure you're modifying the correct settings.xml file:

  • Global configuration: {maven.home}/conf/settings.xml
  • User-specific configuration: {user.home}/.m2/settings.xml

Troubleshooting Tips

  1. Clear local repository cache: Sometimes deleting the .m2/repository folder and rebuilding can resolve lingering issues.

  2. Verify settings.xml location: Maven uses different settings files depending on configuration. Check which file is being used with:

    bash
    mvn help:effective-settings

  3. Check Maven version: Ensure you're running Maven 3.8.1 or later, as this is when the blocking behavior was introduced.

Best Practices

  • Always prefer HTTPS repositories over HTTP when available
  • Limit HTTP repository usage to essential cases only
  • Regularly audit your dependencies and repository configurations
  • Keep Maven updated to benefit from the latest security improvements

INFO

The security feature blocking HTTP repositories is intentionally designed to protect your build process. Workarounds should be temporary while you migrate to more secure alternatives.

By following these recommendations, you can maintain both the security of your build process and access to necessary dependencies, even when they're only available through HTTP repositories.