Skip SSL certificate verification in Spring Rest Template
How to skip SSL certificate verification while using Spring Rest Template? Configure Rest Template so it uses Http Client to create requests.
Note: If you are familiar with sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
the below should help you.
Http Client
Firstly, import HttpClient
(>4.4), to your project
compile('org.apache.httpcomponents:httpclient:4.5.1')
Configure RestTemplate
Configure SSLContext
using Http Client’s SSLContexts
factory methods:
TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
.loadTrustMaterial(null, acceptingTrustStrategy)
.build();
SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);
CloseableHttpClient httpClient = HttpClients.custom()
.setSSLSocketFactory(csf)
.build();
HttpComponentsClientHttpRequestFactory requestFactory =
new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(httpClient);
RestTemplate restTemplate = new RestTemplate(requestFactory);
org.apache.http.ssl.TrustStrategy
is used to override standard certificate verification process. In the above example - it always returns true
, so the certificate can be trusted without further verification.
The Test
@Test
public void opensSSLPage() throws Exception {
String uri = "https://some-secured-page.com";
ResponseEntity<String> entity = restTemplate.getForEntity(uri, String.class);
assertThat(entity.getStatusCode().is2xxSuccessful()).isTrue();
}
Final Word
The above code helps in certain situations (e.g. testing against servers with self-signed certificates), but it should not be used in production - unless you are 100% sure what you are doing.
Yup, that'll do it, but if you want to see an example of validating the certs against keystores check out my post: www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/
ReplyDeleteand the partner Spring Boot demo app: https://github.com/robinhowlett/everything-ssl
I know it can be handy to bypass the validation but I'd always encourage leaving it as a last resort.
Thank you! Great references!
DeleteRobin great post!!! , About this "www.robinhowlett.com/blog/2016/01/05/everything-you-ever-wanted-to-know-about-ssl-but-were-afraid-to-ask/" Do you have and example about one way ssl using Springboot?, I've seen in your examples only two way en springboot. Regards
Delete@Zilev I've replied on my blog post.
Deleteawesome! thanks!
ReplyDeleteTried many things before this post of yours... Hopefully, your configuration worked beautifully! Thx
ReplyDeleteIs this procedure the same as "add an exception" when we try to access an ssl secure website?
ReplyDeleteMay I make this reference?
Thanks