Public Maven Repositories: Maven Central and More

Contents

Read the entire article, or jump ahead to the relevant section.

Apache Maven

Apache Maven, and derivative build tools such as Leiningen, SBT, Gradle, Ivy, and others, are in use across software organizations to build software that runs on the Java Virtual Machine (JVM).

Apache Maven facilitates the storage and retrieval of dependencies which are stored in maven repositories.

If all this seems new or unfamiliar to you, please check out our previous article: “What is a Maven Repository?” and then rejoin us here.

This article will focus on the most commonly used, publicly available, repositories in use in the industry today.

Let’s begin…

Public Maven Repositories

Public Maven Repositories

As seen in the image above, repositories can be either local or remote. Remote repositories can be either public or private.

A public maven repository stores software artifacts (libraries, binaries, and other dependencies) that are free for the entire world to download, usually without credentials or authentication.

Contrast with private repositories that will require credentials or some sort of non-public access (like network isolation, mutual SSL, etc.).

Pro Tip: A common misconception is to believe that all publicly available maven artifacts are open source and free to use for commercial software development.

There are various levels of permissiveness in software licensing. Be sure to check all license agreement of any artifacts you use before you add then to your project’s dependencies (and especially before you ship any software!).

That warning aside, let’s begin with the largest and most widely used public repository, Maven Central.

Maven Central

Containing over three million software artifacts, the Central Repository is one of the world’s largest and oldest archives of software libraries.

Enabled by default in all maven clients it is widely considered to be the ‘central’ repository of the Java and JVM developer ecosystem.

Accessing Maven Central

You can search Central directly if you know which specific artifacts you wish to access.

If you prefer a more user friendly interface that allows you to browse the contents of Central and hundreds of other repositories, check out an maven repository aggregator such as Maven Repository.

An aggregator will help you will find information on licensing, transitive dependencies, source code links, and more - all across many different public repositories.

If you prefer a basic listing of all artifacts in central you can access central directly.

Accessing Central from the maven command line client requires no additional configuration.

Publishing Artifacts

Many developers publish Software Development Kits (SDKs), or other libraries, to Central so that they can be found easily and used with minimal configuration.

If you’d like to find out more details on how to publish your libraries to the world, follow the guide to uploading artifacts to the Central Repository.

Explicitly Using Central from your POM

To explicitly use Central from your Project Object Model (POM) file, you may do so by adding the following to your pom.xml:

  <repositories>
    <repository>
      <id>central</id>
      <name>Default Repository</name>
      <layout>default</layout>
      <url>https://repo1.maven.org/maven2</url>
      <snapshots>
        <enabled>false</enabled>
      </snapshots>
    </repository>
  </repositories>
  

This is based on the Maven Default Project which defines the Super POM, or default settings, for all builds performed with Apache Maven.

Note: You do not have to explicitly define this repository as it is the default public repository for all maven builds.

Disabling the Default Repository

You may have a reason or use case that requires you to disable access to the default repository. If you’d like to do this, you can add the following to your pom:

<repositories>
    <repository>
      <id>central</id>
      <name>Default Repository</name>
      <layout>default</layout>
      <url>https://repo1.maven.org/maven2</url>
      <releases>
        <enabled>false</enabled>
      </releases>
      <snapshots>
        <enabled>false</enabled>
      </snapshots>
    </repository>
  </repositories>
  

Essentially, we’re overriding the value at repositories | repository | id and disabling both maven snapshots and releases.

By overriding the id in the pom file, we are able to override any values that have been set for that id in the super (default) pom.

Note: If you disable access to Central, please be sure to add an entry for an alternative repository to your pom so that you will be able to retrieve artifacts.

If all repositories are disabled then you will not be able to download any dependencies and your build will break!

Overriding the Default Public Repository

Similar to disabling the default repository, if you wish to override the default public repository (and point it somewhere else, for example), declare the repository in your pom and set the <url> (in the repositories | release | url ) tag to point at your desired location.

Additional Repositories

There are several other publicly available repositories available for use today.

These exist for various reasons as some companies like to host their own artifacts in order to control the process and availability of the dependencies they provide.

We list some of the larger ones here, in alphabetical order.

Clojars - The Clojure Repository

Clojars is the primary public repository for the Clojure community. If you’re using Clojure to develop your software then it is definitely something you’ll want to become familiar with..

Clojars is accessed by default by most Clojure based build tools such as Leiningen, Boot, and Deps.

Add Clojars to your POM file:

<repositories>
  <repository>
    <id>clojars.org</id>
    <url>https://repo.clojars.org</url>
  </repository>
</repositories>

Sonatype Releases

The Sonatype Releases Repository is the staging repository for all artifacts that are published to Maven Central.

If you are trying to distribute your artifacts to the widest possible audience, then you’ll use this repository as part of the process.

You can browse its contents or search through the Maven Repository interface.

Add the Sonatype Releases to your POM file:

<repositories>
  <repository>
    <id>Sonatype Releases</id>
    <url>https://oss.sonatype.org/content/repositories/releases/</url>
  </repository>
</repositories>

Spring Framework

The Spring Framework is a Java Framework that helps Java engineers accomplish many different tasks related to software development.

Spring provides so many different libraries and dependencies that the maintainers have decided to create their own maven repository to host them (in addition to Central).

You can use the Spring Repository with the following configuration:

Spring Releases

All past and current releases of the Spring Framework can be retrieved from the Spring Releases Repository.

You can use the Releases Repository with the following:

<repository>
      <id>spring-releases</id>
      <name>Spring Releases</name>
      <url>https://repo.spring.io/release</url>
      <snapshots>
        <enabled>false</enabled>
      </snapshots>
</repository>

Spring Snapshots

It’s recommended that you use release version of dependencies as frequently as you can.

However, if you need a pre-release version of a Spring library, you can use the Spring Snapshots repository to retrieve them.

Here’s the POM file configuration:

<repository>
      <id>spring-snapshots</id>
      <name>Spring Snapshots</name>
      <url>https://repo.spring.io/snapshot</url>
      <releases>
        <enabled>false</enabled>
      </releases>
      <snapshots>
        <enabled>true</enabled>
      </snapshots>
</repository>

Other Public Repositories

As we mentioned before, some organizations like to maintain their own public maven repositories. Here are a list of a few of the larger ones:

Looking for others beyond the ones listed here?

Here’s the most extensive list of public maven repositories that we’ve been able to find.

Pro Tips and Best Practices When Using a Public Repository

HTTP vs HTTPS

You should be very cautious when using an external maven repository which has an url that begins with HTTP.

HTTP is an inherently insecure protocol and should never be used when there is an HTTPS (SSL) alternative.

Caution is required because many examples and repositories still offer the HTTP protocol.

It is a good practice to attempt to use HTTPS in place of HTTP for these servers.

Note: If your repository does not support https then you should look to use a repository with stronger security.

Don’t Rely on Public Repositories

While pointing at public repositories is a great way to get started with your software project, it does introduce some risks.

Artifacts in public repositories are controlled by third parties and may be removed at some point in the future.

While not a common occurrence, having just one dependency removed from a repository can stop your project from building.

Google provides a mirror of Central that may help you find missing dependencies after they are deleted from central but before the mirror updates.

Thank You

Thank you for taking the time to read this article - we hope that it provided value for you in your quest to better understand Maven.

If you have any feedback about this article, or would like to see additional content on related topics, please let us know.

If you’re looking for Private Maven Repositories, CloudRepo offers those to both companies and individuals.

We offer a 14 day free trial and we’d love to have you join us as a partner.