What is the correct way of forcing maven to use HTTPS for maven central?

32
votes

Recently sonatype enabled maven central to support https (background information). I've now added the following snippet to my pom.xml to force using https everywhere:

<!-- force https -->
<repositories>
    <repository>
        <id>central</id>
        <url>https://repo1.maven.org/maven2</url>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </repository>
</repositories>
<pluginRepositories>
    <pluginRepository>
        <id>central</id>
        <url>https://repo1.maven.org/maven2</url>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </pluginRepository>
</pluginRepositories>

Questions:

  • Is this sufficient? Or will there be still http involved somewhere?
  • Is this the correct way of doing it? As I've read that I should do this in the settings.xml instead. But then others using my (open source) project won't use the secure connection.

Update

It does not look sufficient as for e.g. the assembly plugin still HTTP is used: 

[INFO] --- maven-assembly-plugin:2.4:single (make-assembly) @ graphhopper-web ---
Downloading: http://repo.maven.apache.org/maven2/org/slf4j/slf4j-jdk14/1.5.6/slf4j-jdk14-1.5.6.jar
8
javamaven
Might I ask why you are doing this? <s>Surely you wouldn't be contributing to open source projects while you're supposed to be working, while being afraid your employer might inspect the packets, would you? Nothing to hide, nothing to fear, buddy!</s> - corazza
Don't understand your question. This is to protect the users of my project from man-in-the-middle attacks. - Karussell
I was genuinely curious while exactly you were doing this, thanks for the answer that makes sense. The <s>...</s> thing is a <s>arcastic remark about unencrypted traffic and potentially nosy employers, HTTPS is good for that too :) - corazza
i use <pluginRepositories> <pluginRepository> <id>central</id> <url>repo1.maven.org/maven2</url> <snapshots> <enabled>false</enabled> </snapshots> </pluginRepository> </pluginRepositories> and my problem solve mvn work and continue to download from https thanks - Vishal Monga
Additionally I had to modify eclipse, Maven / User Settings Eclipse - Juan Gomez

8 Answers

42
votes

You don't have to place it into all POMs one by one. I'd rather suggest to add the following code into MAVEN_HOME\conf\settings.xml into <profiles> section:

<profile>
    <id>maven-https</id>
    <activation>
        <activeByDefault>true</activeByDefault>
    </activation>
    <repositories>
        <repository>
            <id>central</id>
            <url>https://repo1.maven.org/maven2</url>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
        </repository>
    </repositories>
    <pluginRepositories>
        <pluginRepository>
            <id>central</id>
            <url>https://repo1.maven.org/maven2</url>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
        </pluginRepository>
    </pluginRepositories> 
</profile>

This will be always an active setting unless you disbale/override it in your POM when needed.

29
votes

This is already fixed in latest maven 3.2.3! See the changelogs!

So install maven 3.2.3 and do 'rm -rf ~/.m2/repository/*' for a better feeling ;)

14
votes

You can do the following to force maven use single repo:

<settings>
  ...
  <mirrors>
    <mirror>
      <id>internal-repository</id>
      <name>Maven Repository Manager running on https://repo1.maven.org/maven2</name>
      <url>https://repo1.maven.org/maven2</url>
      <mirrorOf>*</mirrorOf>
    </mirror>
  </mirrors>
  ...
</settings>

You can find more info here.

And also you can use authentication to the repo if you like, the info is here.

6
votes

Add below code in your pom.xml file and no need to remove local cache, It's works like a charm

<distributionManagement>
       <repository>
          <id>Central Maven repository</id>
          <name>Central Maven repository https</name>
          <url>https://repo.maven.apache.org/maven2</url>
       </repository>
    </distributionManagement>

Maven update with terminal

mvn -U clean install
1
votes

I was also getting the same issue and tried all the possible ways by changing the proxies mapping but nothing works, finally i got the solution by adding the below code in setting.xml file in .m2 folder resolve the problem.

Note: Working fine for me without enable the proxy in setting.xml.

<settings>
<mirrors>
    <mirror>
        <id>internal-repository</id>
        <name>Maven Repository Manager running on https://repo1.maven.org/maven2</name>
        <url>https://repo1.maven.org/maven2</url>
        <mirrorOf>*</mirrorOf>
    </mirror>
</mirrors>

1
votes

This question was asked in a recent question. Since NetBeans was not specifically covered in existing answers here, I am adding the following.

Short Answer

Upgrade Maven. The URLs you need to use (with the https protocol) will be provided in a suitably recent version of Maven. This is the simplest solution for older installations of NetBeans.

Details

For NetBeans 8.2, which uses version 3.0.5 as its bundled Maven version, you can upgrade Maven to at least version 3.2.3 (or later).

Check the Current Version

You can check which version of Maven is being used by NetBeans as follows:

  • In the main menu, go to Tools > Options.

  • Select the Java icon, and then the Maven tab below it.

enter image description here

Install an Upgraded Version

Download and install Maven - for example, from here:

https://maven.apache.org/download.cgi

The installation instructions are here:

https://maven.apache.org/install.html

Update NetBeans

Go back to the location in NetBeans shown in the above screenshot.

Click on the Maven Home drop-down and select "browse...". Navigate to the location where you installed the new version of Maven - for example:

E:\apache-maven-3.8.2-bin\apache-maven-3.8.2

You should now see the new version reflected in NetBeans.

Click OK.

Finally, re-try the failed build command.

0
votes

for resolve this error you can add new Repository as https://repo.maven.apache.org/maven2/

enter image description here

0
votes

Based on @Karussell, instead of deleting the whole local repository, you can fix it by deleting a specific package.

  1. Install/Update maven to latest version (>= 3.2.3)
  2. Go to your local repository directory (~/.m2/repository)
  3. Delete all packages under org.apache.maven: rm -rf ~/.m2/repository/org/apache/maven/*

By doing above steps, you will need to re-download some maven's packages, but doesn't need to re-download the whole packages.