Disable SSL verification in Spring WebClient

Carvia Tech | July 23, 2020 | 2 min read | 2,856 views | Spring Boot 2


We can use an insecure TrustManagerFactory that trusts all X.509 certificates without any verification. This will allow WebClient to communicate with a URL having any https certificate (self-signed, expired, wrong host, untrusted root, revoked, etc).

This code has been verified with Spring Boot 2.3.0.RELEASE

Gradle setup

You can always head to https://start.spring.io/ for creating a Spring Boot starter project.

Your build.gradle file should have spring-boot-starter-webflux entry, as shown in below code snippet.

build.gradle
plugins {
    id 'org.springframework.boot' version "2.3.0"
    id 'io.spring.dependency-management' version '1.0.9.RELEASE'
}

dependencies {
    implementation('org.springframework.boot:spring-boot-starter-webflux')
}

Spring 5 WebClient

A WebClient that uses this insecure TrustManagerFactory can be created like shown in below code:

Creating WebClient Bean
@Bean
public WebClient createWebClient() throws SSLException {
    SslContext sslContext = SslContextBuilder
            .forClient()
            .trustManager(InsecureTrustManagerFactory.INSTANCE)
            .build();
    HttpClient httpClient = HttpClient.create().secure(t -> t.sslContext(sslContext));
    return WebClient.builder().clientConnector(new ReactorClientHttpConnector(httpClient)).build();
}

Alternatively, we can build HttpClient from TcpClient, like shown below:

Creating WebClient Bean (Using TcpClient)
@Bean
public WebClient createWebClient2() throws SSLException {
    SslContext sslContext = SslContextBuilder
            .forClient()
            .trustManager(InsecureTrustManagerFactory.INSTANCE)
            .build();
    TcpClient tcpClient = TcpClient.create().secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));
    HttpClient httpClient = HttpClient.from(tcpClient);
    return WebClient.builder().clientConnector(new ReactorClientHttpConnector(httpClient)).build();
}

Now you can use this WebClient instance to make calls to a server that has self-signed/insecure/expired certificate:

Making Call to Self-signed insecure URL
@Autowired
private WebClient webClient;

String baseUrl = "https://self-signed.badssl.com/"

public void getUrl(String baseUrl) {
    webClient.get()
        .uri(baseUrl)
        .uri(b -> b.path("/").queryParam("name", "foo").build())
        .accept(MediaType.APPLICATION_JSON)
        .retrieve()
        .bodyToFlux(String.class)
        .subscribe(success -> processSuccess(success, baseUrl), throwable -> processError(throwable, baseUrl));
}

Never use this TrustManagerFactory in production. It is purely for testing purposes, and thus it is very insecure.


Top articles in this category:
  1. Disable SSL validation in Spring RestTemplate
  2. Spring Boot WebClient Basic Authentication
  3. Spring Webclient multipart file upload
  4. Send Gupshup SMS using Java API
  5. How does Session handling works in Servlet environment
  6. Prevent Lost Updates in Database Transaction using Spring Hibernate
  7. How to prevent duplicate form submission in Spring MVC


Find more on this topic:
Spring Framework image
Spring Framework

Spring Framework - MVC, Dependency Injection, Spring Hibernate, Spring Data JPA, Spring Boot and Spring Cloud for Microservices Architecture.

Last updated 1 week ago


Recommended books for interview preparation:

This website uses cookies to ensure you get the best experience on our website. more info