Home » Java » Enterprise Java » Skip SSL certificate verification in Spring Rest Template

About Rafal Borowiec

Rafal Borowiec
Software developer, Team Leader, Agile practitioner, occasional blogger, lecturer. Open Source enthusiast, quality oriented and open-minded.

Skip SSL certificate verification in Spring Rest Template

How to skip SSL certificate verification while using Spring Rest Template? Configure Rest Template so it uses Http Client to create requests.

Note: If you are familiar with sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target the below should help you.

Http Client

Firstly, import HttpClient (>4.4), to your project

compile('org.apache.httpcomponents:httpclient:4.5.1')

Configure RestTemplate

Configure SSLContext using Http Client’s SSLContexts factory methods:

TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;

SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
        .loadTrustMaterial(null, acceptingTrustStrategy)
        .build();

SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);

CloseableHttpClient httpClient = HttpClients.custom()
        .setSSLSocketFactory(csf)
        .build();

HttpComponentsClientHttpRequestFactory requestFactory =
        new HttpComponentsClientHttpRequestFactory();

requestFactory.setHttpClient(httpClient);

RestTemplate restTemplate = new RestTemplate(requestFactory);

org.apache.http.ssl.TrustStrategy is used to override standard certificate verification process. In the above example – it always returns true, so the certificate can be trusted without further verification.

The Test

@Test
public void opensSSLPage() throws Exception {
    String uri = "https://some-secured-page.com";
    ResponseEntity<String> entity = restTemplate.getForEntity(uri, String.class);
    assertThat(entity.getStatusCode().is2xxSuccessful()).isTrue();
}

Final Word

The above code helps in certain situations (e.g. testing against servers with self-signed certificates), but it should not be used in production – unless you are 100% sure what you are doing.

(0 rating, 0 votes)
You need to be a registered member to rate this.
Start the discussion Views Tweet it!
Do you want to know how to develop your skillset to become a Java Rockstar?
Subscribe to our newsletter to start Rocking right now!
To get you started we give you our best selling eBooks for FREE!
1. JPA Mini Book
2. JVM Troubleshooting Guide
3. JUnit Tutorial for Unit Testing
4. Java Annotations Tutorial
5. Java Interview Questions
6. Spring Interview Questions
7. Android UI Design
and many more ....
I agree to the Terms and Privacy Policy

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of