1. Overview
In this tutorial, we'll explore how to use the Java HttpClient to connect to HTTPS URLs. We'll also learn how to use the client with URLs that don't have a valid SSL certificate.
In older versions of Java, we preferred to use libraries like Apache HTTPClient and OkHttp to connect to a server. In Java 11, an improved HttpClient library was added to the JDK. Let's explore how to use it to call a service over SSL.
2. Calling an HTTPS URL Using the Java HttpClient
We'll use test cases to run the client code. For testing purposes, we'll use an existing URL that runs on HTTPS.
Let's write code to set up the client and call the service:
HttpClient httpClient = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://www.google.com/"))
.build();
HttpResponse<String> response = httpClient.send(request, HttpResponse.BodyHandlers.ofString());
Here, we first created a client using the HttpClient.newHttpClient() method. Then, we created a request and set the URL of the service we're going to hit. Finally, we sent the request using the HttpClient.send() method and collected the response – a HttpResponse object containing the response body as a String.
When we put the above code in a test case and perform the below assertion, we'll observe that it passes:
assertEquals(200, response.statusCode());
3. Calling an Invalid HTTPS URL
Now, let's change the URL to another one that doesn't have a valid SSL certificate. We can do so by changing the request object:
HttpRequest request = HttpRequest.newBuilder()
.uri(new URI("https://www.testingmcafeesites.com/"))
.build();
When we run the test again, we get the below error:
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching www.testingmcafeesites.com found.
at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:212)
at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)
This is because the URL doesn't have a valid SSL certificate.
4. Bypassing SSL Certificate Verification
To resolve the error we got above, let's look at a solution to bypass SSL certificate verification.
In Apache HttpClient, we could modify the client to bypass certificate verification. However, we can't do that with the Java HttpClient. We'll have to rely on making changes to the JVM to disable hostname verification.
One way to do this is to import the website's certificate into the Java KeyStore. This is a common practice and is a good option if there are a small number of internal, trusted websites.
However, this can become tiresome if there are a large number of websites or too many environments to manage. In this case, we can use the property jdk.internal.httpclient.disableHostnameVerification to disable hostname verification.
We can set this property when running the application as a command-line argument:
java -Djdk.internal.httpclient.disableHostnameVerification=true -jar target/java-httpclient-ssl-0.0.1-SNAPSHOT.jar
Alternatively, we can programmatically set this property before creating our client:
Properties props = System.getProperties();
props.setProperty("jdk.internal.httpclient.disableHostnameVerification", Boolean.TRUE.toString());
HttpClient httpClient = HttpClient.newHttpClient();
When we run the test now, we'll see that it passes.
We should note that changing the property would mean that certificate verification is disabled for all requests. This may not be desirable, especially in production. However, it's common to introduce this property in non-production environments.
5. Can We Use Java HttpClient With Spring?
Spring provides two popular interfaces to make HTTP requests:
- RestTemplate for synchronous requests
- WebClient for synchronous and asynchronous requests
Both can be used along with popular HTTP clients such as Apache HttpClient, OkHttp, and the old HttpURLConnection. However, we can't plug Java HttpClient into these two interfaces. It's rather seen as an alternative to them.
We can use Java HttpClient to make synchronous and asynchronous requests, convert requests and responses, add timeouts, etc. Therefore, it can be utilized directly without needing Spring's interfaces.
6. Conclusion
In this article, we explored how to use the Java HTTP Client to connect to a server that requires SSL. We also looked at ways to use the client with URLs that don't have a valid certificate.
As always, the code for these examples is available over on GitHub.
res – REST with Spring (eBook) (everywhere)
