What is the correct way of forcing maven to use HTTPS for maven central?

Question

Recently sonatype enabled maven central to support https (background information). I've now added the following snippet to my pom.xml to force using https everywhere:

<!-- force https -->
<repositories>
    <repository>
        <id>central</id>
        <url>https://repo1.maven.org/maven2</url>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </repository>
</repositories>
<pluginRepositories>
    <pluginRepository>
        <id>central</id>
        <url>https://repo1.maven.org/maven2</url>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </pluginRepository>
</pluginRepositories>

Questions:

• Is this sufficient? Or will there be still http involved somewhere?
• Is this the correct way of doing it? As I've read that I should do this in the settings.xml instead. But then others using my (open source) project won't use the secure connection.

Update

It does not look sufficient as for e.g. the assembly plugin still HTTP is used:

[INFO] --- maven-assembly-plugin:2.4:single (make-assembly) @ graphhopper-web ---
Downloading: http://repo.maven.apache.org/maven2/org/slf4j/slf4j-jdk14/1.5.6/slf4j-jdk14-1.5.6.jar

Answer 1

You don't have to place it into all POMs one by one. I'd rather suggest to add the following code into MAVEN_HOME\conf\settings.xml into <profiles> section:

<profile>
    <id>maven-https</id>
    <activation>
        <activeByDefault>true</activeByDefault>
    </activation>
    <repositories>
        <repository>
            <id>central</id>
            <url>https://repo1.maven.org/maven2</url>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
        </repository>
    </repositories>
    <pluginRepositories>
        <pluginRepository>
            <id>central</id>
            <url>https://repo1.maven.org/maven2</url>
            <snapshots>
                <enabled>false</enabled>
            </snapshots>
        </pluginRepository>
    </pluginRepositories> 
</profile>

This will be always an active setting unless you disable/override it in your POM when needed.

Answer 2

This question was asked in a recent question. Since NetBeans was not specifically covered in existing answers here, I am adding the following.

---

Short Answer

Upgrade Maven. The URLs you need to use (with the https protocol) will be provided in a suitably recent version of Maven. This is the simplest solution for older installations of NetBeans.

---

Details

For NetBeans 8.2, which uses version 3.0.5 as its bundled Maven version, you can upgrade Maven to at least version 3.2.3 (or later).

Check the Current Version

You can check which version of Maven is being used by NetBeans as follows:

• In the main menu, go to Tools > Options.

• Select the Java icon, and then the Maven tab below it.

Install an Upgraded Version

Download and install Maven - for example, from here:

https://maven.apache.org/download.cgi

The installation instructions are here:

https://maven.apache.org/install.html

Update NetBeans

Go back to the location in NetBeans shown in the above screenshot.

Click on the Maven Home drop-down and select "browse...". Navigate to the location where you installed the new version of Maven - for example:

E:\apache-maven-3.8.2-bin\apache-maven-3.8.2

You should now see the new version reflected in NetBeans.

Click OK.

Finally, re-try the failed build command.

Answer 3

Based on @Karussell, instead of deleting the whole local repository, you can fix it by deleting a specific package.

1. Install/Update maven to latest version (>= 3.2.3)
2. Go to your local repository directory (~/.m2/repository)
3. Delete all packages under org.apache.maven: rm -rf ~/.m2/repository/org/apache/maven/*

By doing above steps, you will need to re-download some maven's packages, but doesn't need to re-download the whole packages.

Answer 4

I was also getting the same issue and tried all the possible ways by changing the proxies mapping but nothing works, finally i got the solution by adding the below code in setting.xml file in .m2 folder resolve the problem.

Note: Working fine for me without enable the proxy in setting.xml.

<settings>
<mirrors>
    <mirror>
        <id>internal-repository</id>
        <name>Maven Repository Manager running on https://repo1.maven.org/maven2</name>
        <url>https://repo1.maven.org/maven2</url>
        <mirrorOf>*</mirrorOf>
    </mirror>
</mirrors>

Answer 5

for resolve this error you can add new Repository as https://repo.maven.apache.org/maven2/

Answer 6

Add below code in your pom.xml file and no need to remove local cache, It's works like a charm

<distributionManagement>
       <repository>
          <id>Central Maven repository</id>
          <name>Central Maven repository https</name>
          <url>https://repo.maven.apache.org/maven2</url>
       </repository>
    </distributionManagement>

Maven update with terminal

mvn -U clean install

Answer 7

This is already fixed in latest maven 3.2.3! See the changelogs!

So install maven 3.2.3 and do 'rm -rf ~/.m2/repository/*' for a better feeling ;)

Answer 8

You can do the following to force maven use single repo:

<settings>
  ...
  <mirrors>
    <mirror>
      <id>internal-repository</id>
      <name>Maven Repository Manager running on https://repo1.maven.org/maven2</name>
      <url>https://repo1.maven.org/maven2</url>
      <mirrorOf>*</mirrorOf>
    </mirror>
  </mirrors>
  ...
</settings>

You can find more info here.

And also you can use authentication to the repo if you like, the info is here.