Disable SSL verification in Spring WebClient

Upasana | July 23, 2020 | 2 min read | 2,856 views | Spring Boot 2

We can use an insecure TrustManagerFactory that trusts all X.509 certificates without any verification. This will allow WebClient to communicate with a URL having any https certificate (self-signed, expired, wrong host, untrusted root, revoked, etc).

This code has been verified with Spring Boot 2.3.0.RELEASE

Gradle setup

You can always head to https://start.spring.io/ for creating a Spring Boot starter project.

Your build.gradle file should have spring-boot-starter-webflux entry, as shown in below code snippet.

build.gradle
plugins {
    id 'org.springframework.boot' version "2.3.0"
    id 'io.spring.dependency-management' version '1.0.9.RELEASE'
}

dependencies {
    implementation('org.springframework.boot:spring-boot-starter-webflux')
}

Spring 5 WebClient

A WebClient that uses this insecure TrustManagerFactory can be created like shown in below code:

Creating WebClient Bean
@Bean
public WebClient createWebClient() throws SSLException {
    SslContext sslContext = SslContextBuilder
            .forClient()
            .trustManager(InsecureTrustManagerFactory.INSTANCE)
            .build();
    HttpClient httpClient = HttpClient.create().secure(t -> t.sslContext(sslContext));
    return WebClient.builder().clientConnector(new ReactorClientHttpConnector(httpClient)).build();
}

Alternatively, we can build HttpClient from TcpClient, like shown below:

Creating WebClient Bean (Using TcpClient)
@Bean
public WebClient createWebClient2() throws SSLException {
    SslContext sslContext = SslContextBuilder
            .forClient()
            .trustManager(InsecureTrustManagerFactory.INSTANCE)
            .build();
    TcpClient tcpClient = TcpClient.create().secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));
    HttpClient httpClient = HttpClient.from(tcpClient);
    return WebClient.builder().clientConnector(new ReactorClientHttpConnector(httpClient)).build();
}

Now you can use this WebClient instance to make calls to a server that has self-signed/insecure/expired certificate:

Making Call to Self-signed insecure URL
@Autowired
private WebClient webClient;

String baseUrl = "https://self-signed.badssl.com/"

public void getUrl(String baseUrl) {
    webClient.get()
        .uri(baseUrl)
        .uri(b -> b.path("/").queryParam("name", "foo").build())
        .accept(MediaType.APPLICATION_JSON)
        .retrieve()
        .bodyToFlux(String.class)
        .subscribe(success -> processSuccess(success, baseUrl), throwable -> processError(throwable, baseUrl));
}

Never use this TrustManagerFactory in production. It is purely for testing purposes, and thus it is very insecure.

References

Top articles in this category:
  1. Disable SSL validation in Spring RestTemplate
  2. Spring Boot WebClient Basic Authentication
  3. Send Gupshup SMS using Java API
  4. Spring Webclient multipart file upload
  5. How does Session handling works in Servlet environment
  6. Prevent Lost Updates in Database Transaction using Spring Hibernate
  7. How to prevent duplicate form submission in Spring MVC
Recommended books for interview preparation:
Book you may be interested in..
Generic placeholder image
ebook PDF - Cracking Java Interviews v3.5 by Munish Chandel
Book you may be interested in..
Generic placeholder image
ebook PDF - Cracking Spring Microservices Interviews for Java Developers
Find more on this topic:
Spring Framework

Spring Framework - MVC, Dependency Injection, Spring Hibernate, Spring Data JPA, Spring Boot and Spring Cloud for Microservices Architecture.

Last updated 1 week ago
Subscribe to Interview Questions
Buy interview books

Java & Microservices interview refresher for experienced developers.

Download the E-book