Maven now disables all insecure http://* mirrors by default. Here is explanation from maven mainteners:
http://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291
More and more repositories use HTTPS nowadays, but this hasn’t always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP. This makes downloads via such repository a target for a MITM attack. At the same time, developers are probably not aware that for some downloads an insecure URL is being used. Because uploaded POMs to Maven Central are immutable, a change for Maven was required. To solve this, we extended the mirror configuration with parameter, and we added a new external:http:* mirror selector (like existing external:*), meaning “any external URL using HTTP”.
The decision was made to block such external HTTP repositories by default: this is done by providing a mirror in the conf/settings.xml blocking insecure HTTP external URLs.
The solution (not recommended for security reasons mentioned above) may be to remove <blocked> section from mirror list in default Maven settings.xml file (/usr/share/maven/conf/settings.xml)
Update:
We can find there are 2 settings.xml in two Maven paths:
- The Maven install:
${maven.home}/conf/settings.xml - A user’s install:
${user.home}/.m2/settings.xml
If you do not want to edit anything in the default settings in Maven install. You can add a new mirror with the same ID to overwrite this settings. Add below inside settings > mirrors section:
<mirror>
<id>maven-default-http-blocker</id>
<url>http://127.0.0.1/dont-go-here</url>
<mirrorOf>dummy</mirrorOf>
<blocked>false</blocked>
</mirror>