Disabling external HTTP repositories in Maven is primarily for security reasons to ensure all build processes use HTTPS. Starting from Maven 3.8.1, Maven by default blocks downloads from HTTP repositories because HTTP does not provide secure data transmission as HTTPS does.
If you need to disable HTTP repository access in Maven (i.e., enforce HTTPS), follow these steps:
-
Update the
settings.xmlfile: In thesettings.xmlfile (typically located at$M2_HOME/confor the user's${user.home}/.m2directory), configure the mirror tag to redirect all HTTP repository accesses to HTTPS.For example, add the following configuration:
xml<mirrors> <mirror> <id>central-https</id> <mirrorOf>external:http:*</mirrorOf> <url>https://repo1.maven.org/maven2/</url> <name>Central Repository over HTTPS</name> </mirror> </mirrors>Here, the key is
<mirrorOf>external:http:*</mirrorOf>, which applies to all external HTTP sources. All requests are redirected to the central repository accessed via HTTPS. -
Avoid using HTTP repositories in the project's
pom.xml: Check and ensure that thepom.xmlfile does not declare any repositories using HTTP protocol. If any exist, replace them with HTTPS links. -
Use Maven command-line options: When running Maven commands, specify certain parameters via command line to disable HTTP access. For example, use
-Dmaven.wagon.http.pool=falseto disable HTTP connection pooling (though this does not directly disable HTTP repositories). -
Enterprise-level configuration: If using repository management tools like Nexus or Artifactory in an enterprise environment, configure all Maven clients to communicate with repository servers only via HTTPS at the enterprise level.
By following these steps, you can enhance security when using Maven, ensuring all dependency downloads occur via secure HTTPS protocol. This not only protects code security but also aligns with modern software development best practices.