How to Disable the maven-default-http-blocker gracefully

Recently, after upgrading Maven to 3.8.1, I always encountered issues during the mvn compilation process, where it failed to pull dependencies. The error message was as follows:

Could not validate integrity of download from http://0.0.0.0/...

The full error message is as follows:

[WARNING] Could not validate integrity of download from http://0.0.0.0/com/alibaba/nacos/nacos-client-mse-extension/1.4.2-SNAPSHOT/maven-metadata.xml
org.eclipse.aether.transfer.ChecksumFailureException: Checksum validation failed, expected <!doctype but is 18420d7f1430a348837b97a31a80e374e3b00254
    at org.eclipse.aether.connector.basic.ChecksumValidator.validateExternalChecksums (ChecksumValidator.java:174)
    at org.eclipse.aether.connector.basic.ChecksumValidator.validate (ChecksumValidator.java:103)
    at org.eclipse.aether.connector.basic.BasicRepositoryConnector$GetTaskRunner.runTask (BasicRepositoryConnector.java:460)
    at org.eclipse.aether.connector.basic.BasicRepositoryConnector$TaskRunner.run (BasicRepositoryConnector.java:364)
    at org.eclipse.aether.util.concurrency.RunnableErrorForwarder$1.run (RunnableErrorForwarder.java:75)
    at org.eclipse.aether.connector.basic.BasicRepositoryConnector$DirectExecutor.execute (BasicRepositoryConnector.java:628)
    at org.eclipse.aether.connector.basic.BasicRepositoryConnector.get (BasicRepositoryConnector.java:235)
    at org.eclipse.aether.internal.impl.DefaultMetadataResolver$ResolveTask.run (DefaultMetadataResolver.java:573)
    at org.eclipse.aether.util.concurrency.RunnableErrorForwarder$1.run (RunnableErrorForwarder.java:75)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1130)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:630)
    at java.lang.Thread.run (Thread.java:832)
[WARNING] Checksum validation failed, expected <!doctype but is 18420d7f1430a348837b97a31a80e374e3b00254 from maven-default-http-blocker for http://0.0.0.0/com/alibaba/nacos/nacos-client-mse-extension/1.4.2-SNAPSHOT/maven-metadata.xml
Downloaded from maven-default-http-blocker: http://0.0.0.0/com/alibaba/nacos/nacos-client-mse-extension/1.4.2-SNAPSHOT/maven-metadata.xml (63 kB at 19 kB/s)

By searching for the keyword maven-default-http-blocker, relevant information can be found.

In short, downloading dependencies using the HTTP protocol may lead to man-in-the-middle attacks. For example, you might intend to download the nacos-client, but malicious code could be inserted into the downloaded result. If a developer then runs the code, hackers could gain control of the developer’s computer.

Therefore, Maven 3.8.1 has blocked all Maven repositories using the HTTP protocol.

For details, refer to the Release Notes of Maven 3.8.1.

The problem is that in daily development, we often use internal Maven repositories within the company. These repositories generally use the HTTP protocol. Since Maven 3.8.1 blocks the HTTP protocol, it results in the error mentioned at the beginning.

After some research, it was found that it can be disabled as follows:

Add a mirror with the same name in ~/.m2/settings.xml and specify that this mirror does not apply to any repositories.

<mirror>
    <id>maven-default-http-blocker</id>
    <mirrorOf>!*</mirrorOf>
    <url>http://0.0.0.0/</url>
</mirror>

After that, you can continue to use Maven normally.

P.S. For external repositories, it is still recommended to use the HTTPS protocol to prevent targeted man-in-the-middle attacks.