Spring Boot RestTemplate is an extremely versatile tool for making HTTP Requests. However, it is good to know about certain tricks while using Rest Template. In this post, we will look at how to avoid SSL validation in Spring Boot RestTemplate while making a call.

If you are not much aware about RestTemplate, you can check out my detailed post about Spring Boot RestTemplate integration.

1 – Understanding the Issue

Sometimes, when we are using RestTemplate to make a call to a HTTPS endpoint, we can run into certificate issue. Doing the SSL check is the default behavior of the RestTemplate.

The production-level resolution to that issue is usually to add the required certificates to your application keystore. Then only, you can make the HTTPS request successfully.

However, doing so in a development environment can be a little cumbersome. Usually, while developing an application, we don’t want to go through the hassle of generating appropriate certificates and managing the keystore. We want to test our API integration as fast as possible.

Hence, it is often desired to skip the SSL verification. At least, during the development phase.

2 – Avoid SSL Validation RestTemplate

To skip or avoid the SSL check, we need to modify the default RestTemplate available with the normal Spring package.

To do so, we need to create a configuration class as below:

@Configuration
public class RestTemplateConfig{
 
	@Bean
	public RestTemplate restTemplate() throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
    		TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
 
    		SSLContext sslContext = org.apache.http.ssl.SSLContexts.custom()
                    		.loadTrustMaterial(null, acceptingTrustStrategy)
                    		.build();
 
    		SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(sslContext);
 
    		CloseableHttpClient httpClient = HttpClients.custom()
                    		.setSSLSocketFactory(csf)
                    		.build();
 
    		HttpComponentsClientHttpRequestFactory requestFactory =
                    		new HttpComponentsClientHttpRequestFactory();
 
    		requestFactory.setHttpClient(httpClient);
    		RestTemplate restTemplate = new RestTemplate(requestFactory);
   		return restTemplate;
 	}
}

In this configuration class, we basically declare a new Bean that creates a HTTPClient with the certificate check as disabled.

Then, the HTTP Client is wrapped in a HTTP Request Factory and a new instance of RestTemplate is created using the same.

Finally, we return the Rest Template instance.

With is configuration, if we autowire the RestTemplate in any of our other classes, we will be getting the modified RestTemplate minus the SSL check.

Note that this approach to avoid SSL Validation for RestTemplate is suitable only for development purposes. For production code, you should still go for proper certificate management and SSL verification. Disabling SSL verification can lead to security risks.


Saurabh Dashora

Saurabh is a Software Architect with over 12 years of experience. He has worked on large-scale distributed systems across various domains and organizations. He is also a passionate Technical Writer and loves sharing knowledge in the community.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *