Skip SSL certificate verification in Spring Rest Template

By -

How to skip SSL certificate verification while using Spring Rest Template? Configure Rest Template so it uses Http Client to create requests.

Note: If you are familiar with sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target the below should help you.

Http Client

Firstly, import HttpClient (>4.4), to your project

compile('org.apache.httpcomponents:httpclient:4.5.1')

Configure RestTemplate

Configure SSLContext using Http Client’s SSLContexts factory methods: 

TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;

SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
        .loadTrustMaterial(null, acceptingTrustStrategy)
        .build();

SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);

CloseableHttpClient httpClient = HttpClients.custom()
        .setSSLSocketFactory(csf)
        .build();

HttpComponentsClientHttpRequestFactory requestFactory =
        new HttpComponentsClientHttpRequestFactory();

requestFactory.setHttpClient(httpClient);

RestTemplate restTemplate = new RestTemplate(requestFactory);

org.apache.http.ssl.TrustStrategy is used to override standard certificate verification process. In the above example - it always returns true, so the certificate can be trusted without further verification.

The Test

@Test
public void opensSSLPage() throws Exception {
    String uri = "https://some-secured-page.com";
    ResponseEntity<String> entity = restTemplate.getForEntity(uri, String.class);
    assertThat(entity.getStatusCode().is2xxSuccessful()).isTrue();
}

Final Word

The above code helps in certain situations (e.g. testing against servers with self-signed certificates), but it should not be used in production - unless you are 100% sure what you are doing.

Comments

  1. Robin HowlettFebruary 12, 2016 at 1:21 AM

    Yup, that'll do it, but if you want to see an example of validating the certs against keystores check out my post: www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/

    and the partner Spring Boot demo app: https://github.com/robinhowlett/everything-ssl

    I know it can be handy to bypass the validation but I'd always encourage leaving it as a last resort.

    ReplyDelete
    Replies
    1. Rafał BorowiecFebruary 12, 2016 at 10:55 AM

      Thank you! Great references!

      Delete
    2. ZilevFebruary 29, 2016 at 3:37 PM

      Robin great post!!! , About this "www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/" Do you have and example about one way ssl using Springboot?, I've seen in your examples only two way en springboot. Regards

      Delete
    3. Robin HowlettMarch 1, 2016 at 11:36 PM

      @Zilev I've replied on my blog post.

      Delete
  2. OhadMarch 9, 2017 at 8:36 AM

    awesome! thanks!

    ReplyDelete
  3. Guillaume GarciaJune 14, 2017 at 9:39 AM

    Tried many things before this post of yours... Hopefully, your configuration worked beautifully! Thx

    ReplyDelete
  4. UnknownJune 17, 2017 at 1:56 AM

    Is this procedure the same as "add an exception" when we try to access an ssl secure website?
    May I make this reference?

    Thanks

    ReplyDelete

Post a Comment

Popular posts from this blog

Different ways of validating @RequestBody in Spring MVC with @Valid annotation

By -
In Spring MVC the @RequestBody annotation indicates a method parameter should be bound to a body of the request. @RequestBody parameter can treated as any other parameter in a @RequestMapping method and therefore it can also be validated by a standard validation mechanism. In this post I will show 3 ways of validating the @RequestBody parameter in your Spring MVC application.
Read more

Asynchrouns and Transactional Event Listeners in Spring

By -
The built-in event publication functionality exists from the early Spring versions and it is still useful for handling basic communication between Spring components in the same application context. In general, the application can generate application events (that can be arbitrary objects) and listen to them. The whole mechanism is really simple: using ApplicationPublisher you publish events and using EventListener you handle them. What I find especially useful is asynchronous and transactional event listeners.
Read more