Disable Maven central repository

My company's policy frowns upon artifacts downloaded automatically (they have to be approved), so in order to use Maven I need to disable access to Maven's central repository.

In other words, I don't want Maven to attempt any downloads from central.

I know how to configure a local repository (networked or not), my idea is using a "blessed" machine to update the local repository.

PS: I could block requests at the proxy/network level, but I'm asking about how to do it with Maven's configuration.

UPDATE I finally figured out how to do it. In maven's home, in the conf directory is a global settings.xml. You can either set a mirror to central that points to some internal server or just override it's definition.


Solution 1:

Agreed. No direct downloads from external repositories should be allowed in your release builds.

The specific answer to your question is the second part of my answer :-)

Setup a repository manager

I'd recommend setting up a local Maven repository manager. Good options are the following:

  • Nexus
  • Artifactory
  • Archiva
  • Reposilite

All of these are capable of acting as a caching proxy for the externally available Maven central jars.

You might also be interested in the Profession version of Nexus. It includes a Procurement suite for managing external libraries. It also provides Maven plugins for centrally managing the Maven settings file, which is the second part of my answer...

Local Maven settings

Update the settings file located in the following directory:

$HOME/.m2/settings.xml

Specify that all central requests should be redirected to the local Maven repository:

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
                      http://maven.apache.org/xsd/settings-1.0.0.xsd">
  ...
  <mirrors>
    <mirror>
      <id>central-proxy</id>
      <name>Local proxy of central repo</name>
      <url>http://<hostname>/central</url>
      <mirrorOf>central</mirrorOf>
    </mirror>
  </mirrors>
  ...
</settings>

Solution 2:

I found the Configuring Artifacts Resolution page helpful. It states the following about the "mirror any"-setup.

Don't use "mirror any" by itself, as your only resolution rule. Use it to enforce any artifacts resolution to be made strictly through Artifactory. The "mirror any" proxying configuration works for defined repositories. It will supersede, but not hide, the built-in central and snapshots repositories, unless overridden by the user. It defines a coarse-grained proxying rule that does not differentiate between releases and snapshots, and relies on the defined repositories to do this resolution filtering.

The Super POM of Maven defines the central respository. Here is how you can override the central repository and the plugin-repository for releases and snapshots:

<repositories>
    <repository>
        <id>central</id>
        <url>http://repo1.maven.org/maven2</url>
        <releases>
                <enabled>false</enabled>
        </releases>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </repository>    
</repositories>
<pluginRepositories>
    <pluginRepository>
        <id>central</id>
        <url>http://repo1.maven.org/maven2</url>
        <releases>
            <enabled>false</enabled>
        </releases>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </pluginRepository>
</pluginRepositories>

Of course you should have a replacement configured, as the accepted answer stated.