Shohanur Rahman's blog

Disable SSL Certificate Verification for RestClient and WebClient

Shohanur Rahman's photo
Shohanur Rahman
·

2 min read

Table of contents

To disable SSL certificate verification in Spring Boot using RestTemplate or WebClient, you can configure them to ignore SSL validation. Here’s how you can do it for both:

1. Disabling SSL Certificate Verification for RestTemplate

You need to create a custom RestTemplate bean with SSL verification disabled:

RestTemplate Configuration

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.client.RestTemplate;
import javax.net.ssl.*;
import java.security.cert.X509Certificate;

@Configuration
public class RestTemplateConfig {

    @Bean
    public RestTemplate restTemplate() throws Exception {
        // Trust all certificates
        TrustManager[] trustAllCerts = new TrustManager[]{
            new X509TrustManager() {
                @Override
                public void checkClientTrusted(X509Certificate[] chain, String authType) {}
                @Override
                public void checkServerTrusted(X509Certificate[] chain, String authType) {}
                @Override
                public X509Certificate[] getAcceptedIssuers() {
                    return new X509Certificate[0];
                }
            }
        };

        // Set up SSL context to use our TrustManager
        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, trustAllCerts, new java.security.SecureRandom());

        // Configure RestTemplate to use the SSL context
        HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

        // Disable hostname verification
        HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true);

        return new RestTemplate();
    }
}

Explanation:

  • TrustManager: Implements a TrustManager that does not perform any checks.

  • SSLContext: Configures an SSLContext to use our custom TrustManager.

  • HostnameVerifier: Disables hostname verification.

2. Disabling SSL Certificate Verification for WebClient

For WebClient, configure the underlying HTTP client (Reactor Netty) to skip SSL validation.

WebClient Configuration

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.netty.http.client.HttpClient;
import reactor.netty.transport.ssl.SslContextBuilder;
import javax.net.ssl.SSLException;

@Configuration
public class WebClientConfig {

    @Bean
    public WebClient.Builder webClientBuilder() throws SSLException {
        // Configure HttpClient to disable SSL validation
        HttpClient httpClient = HttpClient.create()
                .secure(sslContextSpec -> sslContextSpec.sslContext(
                        SslContextBuilder.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE)
                ));

        return WebClient.builder().clientConnector(new reactor.netty.http.client.HttpClientConnector(httpClient));
    }
}

Explanation:

  • InsecureTrustManagerFactory: Disables certificate validation.

  • HttpClient: Configures the HTTP client to use the modified SSL context.

Important Security Note:

Disabling SSL verification is not recommended for production environments because it exposes your application to potential MITM (Man-in-the-Middle) attacks. This should only be used for testing purposes or when working in a controlled environment with self-signed certificates.

Usage Example:

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Service;
import com.example.dto.WhatsAppMessageRequest;
import reactor.core.publisher.Mono;

@Service
public class WhatsAppClient {

    @Autowired
    private RestTemplate restTemplate;

    @Autowired
    private WebClient.Builder webClientBuilder;

    public void sendMessageWithRestTemplate(WhatsAppMessageRequest messageRequest, String token) {
        ResponseEntity<String> response = restTemplate.postForEntity(
                "https://api.whatsapp.com/sendMessage",
                messageRequest,
                String.class
        );
        System.out.println("Response using RestTemplate: " + response.getBody());
    }

    public void sendMessageWithWebClient(WhatsAppMessageRequest messageRequest, String token) {
        WebClient webClient = webClientBuilder.build();
        Mono<String> response = webClient.post()
                .uri("https://api.whatsapp.com/sendMessage")
                .header("Authorization", "Bearer " + token)
                .bodyValue(messageRequest)
                .retrieve()
                .bodyToMono(String.class);

        response.subscribe(System.out::println);
    }
}

By using this configuration, your RestTemplate and WebClient will bypass SSL certificate checks, enabling you to make API calls to endpoints with self-signed or untrusted certificates.

Spring BootSSL Certificate