Disable SSL Certificate Verification for RestClient and WebClient
Shohanur RahmanTo disable SSL certificate verification in Spring Boot using RestTemplate or WebClient, you can configure them to ignore SSL validation. Here’s how you can do it for both:
1. Disabling SSL Certificate Verification for RestTemplate
You need to create a custom RestTemplate bean with SSL verification disabled:
RestTemplate Configuration
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.client.RestTemplate;
import javax.net.ssl.*;
import java.security.cert.X509Certificate;
@Configuration
public class RestTemplateConfig {
@Bean
public RestTemplate restTemplate() throws Exception {
// Trust all certificates
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) {}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) {}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}
};
// Set up SSL context to use our TrustManager
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
// Configure RestTemplate to use the SSL context
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
// Disable hostname verification
HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true);
return new RestTemplate();
}
}
Explanation:
TrustManager: Implements a
TrustManagerthat does not perform any checks.SSLContext: Configures an
SSLContextto use our customTrustManager.HostnameVerifier: Disables hostname verification.
2. Disabling SSL Certificate Verification for WebClient
For WebClient, configure the underlying HTTP client (Reactor Netty) to skip SSL validation.
WebClient Configuration
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.netty.http.client.HttpClient;
import reactor.netty.transport.ssl.SslContextBuilder;
import javax.net.ssl.SSLException;
@Configuration
public class WebClientConfig {
@Bean
public WebClient.Builder webClientBuilder() throws SSLException {
// Configure HttpClient to disable SSL validation
HttpClient httpClient = HttpClient.create()
.secure(sslContextSpec -> sslContextSpec.sslContext(
SslContextBuilder.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE)
));
return WebClient.builder().clientConnector(new reactor.netty.http.client.HttpClientConnector(httpClient));
}
}
Explanation:
InsecureTrustManagerFactory: Disables certificate validation.
HttpClient: Configures the HTTP client to use the modified SSL context.
Important Security Note:
Disabling SSL verification is not recommended for production environments because it exposes your application to potential MITM (Man-in-the-Middle) attacks. This should only be used for testing purposes or when working in a controlled environment with self-signed certificates.
Usage Example:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Service;
import com.example.dto.WhatsAppMessageRequest;
import reactor.core.publisher.Mono;
@Service
public class WhatsAppClient {
@Autowired
private RestTemplate restTemplate;
@Autowired
private WebClient.Builder webClientBuilder;
public void sendMessageWithRestTemplate(WhatsAppMessageRequest messageRequest, String token) {
ResponseEntity<String> response = restTemplate.postForEntity(
"https://api.whatsapp.com/sendMessage",
messageRequest,
String.class
);
System.out.println("Response using RestTemplate: " + response.getBody());
}
public void sendMessageWithWebClient(WhatsAppMessageRequest messageRequest, String token) {
WebClient webClient = webClientBuilder.build();
Mono<String> response = webClient.post()
.uri("https://api.whatsapp.com/sendMessage")
.header("Authorization", "Bearer " + token)
.bodyValue(messageRequest)
.retrieve()
.bodyToMono(String.class);
response.subscribe(System.out::println);
}
}
By using this configuration, your RestTemplate and WebClient will bypass SSL certificate checks, enabling you to make API calls to endpoints with self-signed or untrusted certificates.
Subscribe to my newsletter
Read articles from Shohanur Rahman directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Shohanur Rahman
Shohanur Rahman
👋 Hey there! I’m Shohanur Rahman! I’m a backend developer with over 5.5 years of experience in building scalable and efficient web applications. My work focuses on Java, Spring Boot, and microservices architecture, where I love designing robust API solutions and creating secure middleware for complex integrations. 💼 What I Do Backend Development: Expert in Spring Boot, Spring Cloud, and Spring WebFlux, I create high-performance microservices that drive seamless user experiences. Cloud & DevOps: AWS enthusiast, skilled in using EC2, S3, RDS, and Docker to design scalable and reliable cloud infrastructures. Digital Security: Passionate about securing applications with OAuth2, Keycloak, and digital signatures for data integrity and privacy. 🚀 Current Projects I’m currently working on API integrations with Spring Cloud Gateway and designing an e-invoicing middleware. My projects often involve asynchronous processing, digital signature implementations, and ensuring high standards of security. 📝 Why I Write I enjoy sharing what I’ve learned through blog posts, covering everything from backend design to API security and cloud best practices. Check out my posts if you’re into backend dev, cloud tech, or digital security!