Disable SSL verification in Spring WebClient

Upasana | July 23, 2020 | 2 min read | 2,856 views | Spring Boot 2


We can use an insecure TrustManagerFactory that trusts all X.509 certificates without any verification. This will allow WebClient to communicate with a URL having any https certificate (self-signed, expired, wrong host, untrusted root, revoked, etc).

This code has been verified with Spring Boot 2.3.0.RELEASE

Gradle setup

You can always head to https://start.spring.io/ for creating a Spring Boot starter project.

Your build.gradle file should have spring-boot-starter-webflux entry, as shown in below code snippet.

build.gradle
plugins {
    id 'org.springframework.boot' version "2.3.0"
    id 'io.spring.dependency-management' version '1.0.9.RELEASE'
}

dependencies {
    implementation('org.springframework.boot:spring-boot-starter-webflux')
}

Spring 5 WebClient

A WebClient that uses this insecure TrustManagerFactory can be created like shown in below code:

Creating WebClient Bean
@Bean
public WebClient createWebClient() throws SSLException {
    SslContext sslContext = SslContextBuilder
            .forClient()
            .trustManager(InsecureTrustManagerFactory.INSTANCE)
            .build();
    HttpClient httpClient = HttpClient.create().secure(t -> t.sslContext(sslContext));
    return WebClient.builder().clientConnector(new ReactorClientHttpConnector(httpClient)).build();
}

Alternatively, we can build HttpClient from TcpClient, like shown below:

Creating WebClient Bean (Using TcpClient)
@Bean
public WebClient createWebClient2() throws SSLException {
    SslContext sslContext = SslContextBuilder
            .forClient()
            .trustManager(InsecureTrustManagerFactory.INSTANCE)
            .build();
    TcpClient tcpClient = TcpClient.create().secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));
    HttpClient httpClient = HttpClient.from(tcpClient);
    return WebClient.builder().clientConnector(new ReactorClientHttpConnector(httpClient)).build();
}

Now you can use this WebClient instance to make calls to a server that has self-signed/insecure/expired certificate:

Making Call to Self-signed insecure URL
@Autowired
private WebClient webClient;

String baseUrl = "https://self-signed.badssl.com/"

public void getUrl(String baseUrl) {
    webClient.get()
        .uri(baseUrl)
        .uri(b -> b.path("/").queryParam("name", "foo").build())
        .accept(MediaType.APPLICATION_JSON)
        .retrieve()
        .bodyToFlux(String.class)
        .subscribe(success -> processSuccess(success, baseUrl), throwable -> processError(throwable, baseUrl));
}

Never use this TrustManagerFactory in production. It is purely for testing purposes, and thus it is very insecure.


Top articles in this category:
  1. Disable SSL validation in Spring RestTemplate
  2. Spring Boot WebClient Basic Authentication
  3. Send Gupshup SMS using Java API
  4. Spring Webclient multipart file upload
  5. How does Session handling works in Servlet environment
  6. Prevent Lost Updates in Database Transaction using Spring Hibernate
  7. How to prevent duplicate form submission in Spring MVC

Recommended books for interview preparation:

Find more on this topic:
Buy interview books

Java & Microservices interview refresher for experienced developers.