Skip SSL certificate verification in Spring Rest Template

By -

How to skip SSL certificate verification while using Spring Rest Template? Configure Rest Template so it uses Http Client to create requests.

Note: If you are familiar with sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target the below should help you.

Http Client

Firstly, import HttpClient (>4.4), to your project

compile('org.apache.httpcomponents:httpclient:4.5.1')

Configure RestTemplate

Configure SSLContext using Http Client’s SSLContexts factory methods: 

TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;

SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
        .loadTrustMaterial(null, acceptingTrustStrategy)
        .build();

SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);

CloseableHttpClient httpClient = HttpClients.custom()
        .setSSLSocketFactory(csf)
        .build();

HttpComponentsClientHttpRequestFactory requestFactory =
        new HttpComponentsClientHttpRequestFactory();

requestFactory.setHttpClient(httpClient);

RestTemplate restTemplate = new RestTemplate(requestFactory);

org.apache.http.ssl.TrustStrategy is used to override standard certificate verification process. In the above example - it always returns true, so the certificate can be trusted without further verification.

The Test

@Test
public void opensSSLPage() throws Exception {
    String uri = "https://some-secured-page.com";
    ResponseEntity<String> entity = restTemplate.getForEntity(uri, String.class);
    assertThat(entity.getStatusCode().is2xxSuccessful()).isTrue();
}

Final Word

The above code helps in certain situations (e.g. testing against servers with self-signed certificates), but it should not be used in production - unless you are 100% sure what you are doing.

Comments

  1. Robin HowlettFebruary 12, 2016 at 1:21 AM

    Yup, that'll do it, but if you want to see an example of validating the certs against keystores check out my post: www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/

    and the partner Spring Boot demo app: https://github.com/robinhowlett/everything-ssl

    I know it can be handy to bypass the validation but I'd always encourage leaving it as a last resort.

    ReplyDelete
    Replies
    1. Rafał BorowiecFebruary 12, 2016 at 10:55 AM

      Thank you! Great references!

      Delete
    2. ZilevFebruary 29, 2016 at 3:37 PM

      Robin great post!!! , About this "www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/" Do you have and example about one way ssl using Springboot?, I've seen in your examples only two way en springboot. Regards

      Delete
    3. Robin HowlettMarch 1, 2016 at 11:36 PM

      @Zilev I've replied on my blog post.

      Delete
  2. OhadMarch 9, 2017 at 8:36 AM

    awesome! thanks!

    ReplyDelete
  3. Guillaume GarciaJune 14, 2017 at 9:39 AM

    Tried many things before this post of yours... Hopefully, your configuration worked beautifully! Thx

    ReplyDelete
  4. UnknownJune 17, 2017 at 1:56 AM

    Is this procedure the same as "add an exception" when we try to access an ssl secure website?
    May I make this reference?

    Thanks

    ReplyDelete

Post a Comment

Popular posts from this blog

Different ways of validating @RequestBody in Spring MVC with @Valid annotation

By -
In Spring MVC the @RequestBody annotation indicates a method parameter should be bound to a body of the request. @RequestBody parameter can treated as any other parameter in a @RequestMapping method and therefore it can also be validated by a standard validation mechanism. In this post I will show 3 ways of validating the @RequestBody parameter in your Spring MVC application.
Read more